Dridex has been the scourge of banks regarding bank data and credential theft as well as fraud in the last 12 months. Cyber criminals have been improving the network following the special cases and problems they have faced depending on the financial institutions they have attacked. They have also improved their network thanks to issues raised by researchers, law enforcement institutions or even after being detected.
Dridex has suffered several attempts of closure, commonly known as takedowns and some of its supposed leaders have been arrested. However, since September, it has recovered and reappeared on several occasions, even launching new campaigns. These campaigns have been far less aggressive than last year’s and they have been carefully launched by cyber criminals themselves. This has even led to non backward compatibility of the binaries distributed through the different campaigns. Actually, it indicates that after takedowns and persecutions, cyber criminals are drastically on the alert and they are very well prepared.
Why have takedowns not been totally effective? On the one hand, Dridex is a botnet managed by a cyber criminal group formed by several highly qualified members, who are constantly operating and introducing code changes into the botnet.
On the other hand, its design and architecture is based on a P2P distributed network, so that it doesn’t have one only shutdown point. Therefore, it uses many servers and intermediate equipments, making the botnet more resistant and making takedowns difficult.
We started to analyze and study this botnet at Blueliv as soon as our honeypots network detected it. Our expert team of reversing and cyber threat intelligence was able to analyze its infection procedure. It consists of the traditional spam with malicious charges such as PDF/DOC with malicious embedded code, which at the end, downloads the trojan itself. Blueliv looked into the communication between bots, nodes and C&C (or intermediate proxies). We also examined how it moves stolen data through the P2P net, which is formed by the infected bots and nodes, giving an odd architecture to it. This is the reason why it is important to stress that the high capacity of control of this botnet on its bots allows cyber criminals to intercept traffic on the net and steal confidential data, money, etc.
Several Dridex main nodes or C&Cs were closed thanks to the collaboration of some international cyber crime law enforcement institutions. The appearance of new small campaigns arise potential scenarios where orphan bots could keep on working as follows:
- Orphan bots might easily be recovered by another part of the band or of the botnet that can be controlled, bearing in mind the philosophy of Dridex.
- These bots could migrate to a new botnet of different philosophy or creation that belongs to other small parts of the band that controlled Dridex. It is even potentially possible that other groups get to have access to the source code of the old Dridex, intercepting or reactivating this botnet and making it immune and yet more efficient.
In short, will Dridex be reloaded despite the recent arrests of the band that manages it?
At Blueliv we are committed to the fight against cybercrime and with the understanding of it excessive technology to combat it. In these regards, some months ago we produced the report that can be downloaded here and that had a great success given the depth of its technical analysis.
CEO & Founder of Blueliv