• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   FBI, Security Vendors Partner for DRIDEX Takedown

FBI, Security Vendors Partner for DRIDEX Takedown

  • Posted on:October 13, 2015 at 2:44 pm
  • Posted in:Malware
  • Author:
    Trend Micro
0

Multiple command-and-control (C&C) servers used by the DRIDEX botnet have been taken down by the Federal Bureau of Investigation (FBI), following the action taken by the National Crime Agency (NCA) in the UK.

US law enforcement officials obtained court orders that resulted in the seizure of multiple servers used by DRIDEX. This crippled the malware’s C&C network, which is used by the malware to send the stolen information to the cybercriminals and to download configuration files that include the list of targeted banks. Furthermore, charges have been made against Andrey Ghinkul, aka Andrei Ghincul and Smilex, the Moldovan administrator of the botnet.

Taking down cybercriminals is no small feat. Tracking down and shutting down cybercrime operations requires the constant collaboration of researchers and law enforcement agencies, each providing their own expertise. The takedown of the command-and-control (C&C) network used by the banking malware DRIDEX is the latest example of that partnership’s success.

What sets DRIDEX apart?

DRIDEX has slowly been making a name for itself this past year and has been viewed as the successor to the Gameover Zeus (GoZ) malware. Its prevalence in the threat landscape can be attributed to its business model, P2P (peer-to-peer) architecture, and unique routines.

Unlike other malware, DRIDEX operates using the BaaS (Botnet-as-a Service) business model. It runs several bot networks, each identified by a number and each containing a specific set of target banks.  Our investigation revealed that its target banks mostly come from the US and Europe (particularly Romania, France, and the UK).  Feedback provided by the Trend Micro™ Smart Protection Network™ in the last three months show that users in the US and the UK accounted for more than 35% of DRIDEX infections.

 


Figure 1. Breakdown of affected countries, from July – October 1, 2015

The P2P architecture of DRIDEX was built as an improved version of GoZ’s architecture. Learning from the GoZ takedown, creators of DRIDEX added a another layer in its architecture before the command-and-control (C&C) server.

Apart from these, DRIDEX is also equipped to remove or hide tracks in the system. Similar to the Chthonic variant of ZBOT, it uses an invisible persistence technique which involves writing autostart reg key upon system shutdown and deleting autostart reg key upon system startup. However, only DRIDEX cleans up the stored configuration in the registry and changes the malware copy location.

DRIDEX is easily spread using malicious email attachment, usually Microsoft Office documents that contain macros. The use of macros could be seen as one way of ensuring a higher chance of successful attacks. Macros are commonly used in automated and interactive documents. The feature is usually deactivated by default, but if it was already enabled prior to the attack, the attack commences without any additional requirements. Otherwise, the attack must use a strong social engineering lure in order to convince the user to enable the feature. Furthermore, we found that the macro code contains garbage and useless code. This poses additional challenges for detection.

What does the DRIDEX malware do?

DRIDEX is a family of online banking malware that has been plaguing users since July 2014. Since then, it has been a frequent fixture in our quarterly threat roundup, making regular appearances in the most frequently found online banking malware families.DRIDEX is a notorious malware family that steals the user’s login credentials if they visit targeted banking sites. It can steal information by taking screenshots and grabbing information from form fields. One notable information theft routine performed by DRIDEX is the use of HTML injections—wherein malicious code is injected into certain webpages. Once the user inputs the login credentials into the altered webpage, the information is sent to the cybercriminals.

Stealing login credentials and other personal information is only half of the story. The stolen data can then be sold to the cybercriminal underground. The money stolen from the victimized users’ accounts may also be used to fund more cybercriminal activities.

How can you address DRIDEX?

While the takedown of the C&C servers now prevents DRIDEX from executing malicious activities, total cleanup still requires users to ensure that DRIDEX has been removed from their systems.

Trend Micro, through the Smart Protection Network, protects users from DRIDEX. Our Web Reputation Service, which tracks the credibility and safety of web domains, blocks access to malicious URLs. The Email Reputation Service scans emails and blocks those that contain spam-like and malicious content, including links and attachments. Meanwhile, our File Reputation Service checks the reputation of files against our database and flags those that contain malicious and suspicious behavior.

Trend Micro products already detect the unique samples of DRIDEX malware that we have obtained. We detect DRIDEX as a malicious executable in 32- and 64-bit systems. The detections are under various detection names, such as:

  • BKDR_DRIDEX
  • TROJ_DRIDEX
  • TSPY_DRIDEX
  • TSPY64_DRIDEX

For non-Trend Micro users, our free online scanner HouseCall is also able to detect and remediate this threat as well.

Working with law enforcement is a key part of Trend Micro’s strategy to help eradicate cybercrime across the globe. This is only the latest in our successful efforts to work with law enforcement; earlier this year we helped provide information that took down the SIMDA botnet. Successes like these strengthen our resolve to move forward and help bring down more cybercriminal networks and make the Internet safer for everyone.

With additional insights by Michael Marcos and Rhena Inocencio.

Updated on October 13, 2015 9:20 P.M. PDT (UTC-7) to clarify details on the location of C&C servers taken down

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: C&CDRIDEXlaw enforcementMalwareonline bankingtakedown

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.