Feds and White Hats Put the Brakes on Bank-Swindling Botnet – Dridex

Law enforcement agencies from around the world and private cybersecurity companies have come together to stop a far-reaching botnet that infected hundreds of thousands of computers every year to steal money from targeted banks. The mastermind behind malicious botnet has also been arrested.

Multiple law enforcement agencies and several cybersecurity firms have seized control of a network of infected computers that spread the infamous Dridex (formerly Bugat) malware, a malicious exploit designed to spy on victim’s machines to steal banking credentials with the ultimate aim of breaking into bank accounts and steal cash.

According to estimates, the botnet is responsible for siphoning $10 million from U.S. banks in the past year along with another £20m stolen from UK banks.

Furthermore, a 30-year old man named Andrey Ghinkul, allegedly the mastermind of the botnet has been arrested in Cyprus with the U.S. Department of Justice filing charges against him, reports CNN Money.

The Dridex Botnet

The first discovered version of the Dridex strain of malware – Bugat, was originally discovered by security researchers at Dell SecureWorks in 2010. Even five years ago, the malware had the Credentials stealmeans to spy on victims’ internet habits directly tapping into network traffic and even taking screenshots of the user’s activities on the browser.

The malware quickly evolved into the botnet the world now knows as Dridex, wherein the infected computer is harnessed into a network of other infected computers to form a botnet. The
controller of the botnet, with an army of infected computers at one’s disposal, had the means to evade law enforcement by communicating with the infected computer through others on the wide-reaching network.

Unlike other malware with worm-like capabilities, Dridex does not spread on its own and relies on a comprehensive phishing effort by the attackers behind the malware. One report from Fujitsu revealed that authors tapped into a database containing 385 million email addresses. The botnet operators who allegedly call themselves “Evil Corp,” were rolling out up to 350,000 emails laced with Dridex every day, according to a cybersecurity firm.

Typically, the emails contain an infected MS Office file, usually a Word document or an Excel spreadsheet. When opened, a tiny embedded program called a “macro” is triggered. The macro in turn downloads the malware onto the computer, activating the Trojan program. Over time, this Trojan quietly assimilates the victim’s browsing habits through a serious of screenshots that are communicated back to the malware operator.

The Takedown

Security researchers at Dell SecureWorks, while teaming up with law enforcement agencies, started drawing plans to hijack the botnet this year. After gaining the required legal permissions, the researchers put together the framework to hack the botnet network.

The big break occurred on August 28, this year when police in Cyprus apprehended Ghinkul, an event that immediately curbed the spreading of the Dridex malware.

Then, security professionals at Dell SecureWorks from around the world began a multi-day clandestine operation to gain access to the all-important and significant ‘host’ computers that control a massive network of infected computers adding up to make the botnet.

Jeff Williams, a Dell SecureWorks researcher, said:

We were able to wrestle away the network of infected computers out of the control of the hackers. They can’t continue to harvest data.

The FBI released a statement through a press release to claim a significant advantage against the malware operation.

U.S. Attorney David J. Hickton of Pennsylvania said:

Through a technical disruption and criminal indictment we have struck a blow to one of the most pernicious malware threats in the world.

The press release also revealed that:

  • Ghinkul and his accomplices or Evil Corp, managed to steal $3.5 million from Penneco Oil in Pennsylvania, 2012 before transferring the money to different banks in Ukraine and Belarus.
  • Ghinkul also tried to steal $999,000 from the Sharon City School district but was unable to siphon the money away.

The operation to take down the botnet and its instigators were orchestrated by agents and personnel in the FBI, the National Crime Agency in Britain, Europol and the German Bundeskriminalamt.

The Shadowserver Foundation, a group of volunteering professional white-hats now have control of the botnet.

Images from Shutterstock.

Samburaj is the contributing editor at Hacked and keeps tabs on science, technology and cyber security.