Security Experts:

Authorities Seize Servers to Disrupt Dridex Botnet

Law enforcement authorities in the United States and Europe have teamed up with private cybersecurity organizations in an effort to disrupt the activities of the Dridex botnet.

The Dridex malware, a successor of the Trojan known as Cridex, Feodo and Bugat, uses web injects and other techniques to steal users’ personal and financial information, which malicious actors can use to commit fraud. Recent samples of the malware had mainly been distributed via malicious Microsoft Word documents attached to spam emails.

The threat has been used against individuals from all across the world, but most of the victims appear to be in the United States and the United Kingdom, with losses caused by the botnet estimated by authorities at $10 million in the U.S. and $30 million in the U.K.

The Dridex botnet is partitioned into multiple sub-botnets and uses a peer-to-peer (P2P) network for communications, which would normally make the threat more resistant to takedowns. However, as highlighted by Dell SecureWorks, whose researchers have contributed to the latest law enforcement operation, the Dridex network is a hybrid between a centralized and a decentralized network since peer lists and configuration files are distributed centrally by backend servers.

This allowed cybercrime fighters to poison the P2P network of each Dridex sub-botnet and redirect infected systems to a sinkhole.

“Threat actors created botnets such as Dridex to fill the void left by the takedown of the Gameover Zeus botnet in May 2014 as part of Operation Tovar,” the Dell SecureWorks Counter Threat Unit research team explained. “Despite a significant overlap in tactics, techniques, and procedures (TTPs), Dridex never rivaled the sophistication, size, and success of Gameover Zeus. This operation took advantage of weaknesses in Dridex's hybrid P2P architecture to take over the botnet.”

The FBI also announced on Tuesday that an administrator of the Dridex botnet, 30-year-old Moldovan national Andrey Ghinkul, aka “Andrei Ghincul” and “Smilex,” was arrested in Cyprus on August 28. Authorities hope to get the suspect extradited to the United States where he has been charged with nine counts of criminal conspiracy, damaging a computer, unauthorized computer access with intent to defraud, wire fraud, and bank fraud.

Ghinkul is said to have been part of a criminal conspiracy that leveraged Dridex to steal banking credentials that were later used to transfer money from victims’ accounts to the accounts of money mules. According to the FBI, the cybercrooks attempted to steal nearly $1 million from a Pennsylvania School District, and managed to transfer roughly $3.5 million from the accounts of Delmont, PA-based oil and gas exploration company Penneco Oil.

The United States Computer Emergency Readiness Team (US-CERT) has published an advisory containing information on how to remove Dridex infections.

The operation aimed at the Dridex botnet was conducted by the FBI in collaboration with Europol’s European Cybercrime Centre (EC3) and authorities in the UK, Germany and Moldova. The list of private sector organizations that contributed to the disruption of the threat includes Fox-IT, S21sec,, Spamhaus, the Shadowserver Foundation, and Trend Micro.

Related Reading: Cisco Disrupts Major Ransomware Operation Powered by Angler EK

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.