Law enforcement authorities in the U.S. and Europe, and several private security firms have launched an operation aimed at the Dridex botnet, but the threat still appears to be active.
Dridex, a successor of the Cridex Trojan, is said to have caused losses totaling $40 million in the United States and the United Kingdom after helping cybercriminals steal personal and financial information from users.
Dell SecureWorks, one of the security firms involved in the takedown operation, reported last week that each Dridex sub-botnet’s peer-to-peer (P2P) network was poisoned and infected systems were redirected to a sinkhole. Additionally, the FBI announced the arrest of a Dridex botnet administrator, 30-year-old Moldovan national Andrey Ghinkul, and charges brought against several other suspects.
Despite the takedown effort, Dridex is still active. Less than 48 hours after law enforcement authorities announced disrupting the botnet, Proofpoint researchers spotted a spam run distributing Dridex, mainly aimed at users in the United Kingdom.
Kevin Epstein, VP of Threat Operations at Proofpoint, told SecurityWeek that the variant distributed in this email campaign communicated with the sub-botnet dubbed “220,” which according to Dell SecureWorks, contained roughly 4,000 active bots, mostly located in Western Europe (France, U.K.).
“The initial campaign was significantly smaller than campaigns of the last weeks — only about 10% of their size — potentially indicating that attackers are still testing the stability of their control over that C&C network,” Epstein explained.
“It’s not clear Dridex ever ‘left’. While there was what appears to have been a brief disruption in the ‘220’ command and control network, it does not appear that the email distribution (phish-sending) botnet was impacted, nor other C&C networks, nor the Dridex malware itself,” Epstein added. “Since Dridex has been a successful tool for attackers to steal credentials for banking, CRM, supply chain, and intellectual property repositories, it seems likely that attackers will keep using it.”
However, Dr. Brett Stone-Gross, senior security researcher with the Dell SecureWorks Counter Threat Unit, said that the entire botnet was sinkholed and the criminal infrastructure was taken down.
“A new Dridex botnet was recreated from scratch which took the criminal operators more than 3 weeks and so far only one affiliate is active,” Stone-Gross, who headed his company’s participation in the Dridex botnet takeover, told SecurityWeek. “This botnet is likely to be very small right now. It is not ‘back with a vengeance’ as some have claimed.”
According to Stone-Gross, the operation against Dridex, both its infrastructure and the people behind the threat, will continue. The expert highlighted that one key player was already arrested and several others were indicted under their real name.
“These operations go after the source of the problem (the people behind the malware) rather than throwing huge amounts of money in trying to reactively defend against the attacks,” Stone-Gross said.
Moreover, Dridex has never actually rivaled the now defunct Gameover Zeus botnet in terms of size and success, the researcher noted.
Frank Ruiz, threat intelligence analyst at Fox IT, another company involved in the operation against Dridex, pointed out that while this was a major first step in the right direction, there is still a lot of work to be done.
Ruiz noted that Ghinkul, also known as “Smilex,” was working with an individual using the online moniker “Caramba,” who is also named in FBI documents. The two paid “Evil Corp,” the organization that writes and maintains Dridex, for access to the botnet, but there are a large number of other people involved in Dridex.
The expert told SecurityWeek that one of the sub-botnets, run by an actor not targeted in the latest law enforcement operation, only had minor interruptions. Another Dridex sub-botnet was seen resurfacing on Friday.
“Historically, successful neutralization of parts of the malware ecosystem can be highly effective. For example, after the arrest of ‘Paunch’, creator of the ‘Blackhole’ exploit kit, use of the kit declined precipitously — and both the gameoverzeus and zeroaccess botnet actions by authorities resulted in significant disruptions to those criminal enterprises. That said, the crimeware market operates efficiently, and if a need exists or gap is created, history has shown that others will step in to fill the gap,” Epstein said. “That said, this situation certainly disrupted a portion of the Dridex operation, but doesn’t appear to have created a long-term cessation in activity.”
