Multiple command-and-control (C&C) servers used by the DRIDEX botnet have been taken down by the Federal Bureau of Investigation (FBI), following the action taken by the National Crime Agency (NCA) in the UK.
US law enforcement officials obtained court orders that resulted in the seizure of multiple servers used by DRIDEX. This crippled the malware’s C&C network, which is used by the malware to send the stolen information to the cybercriminals and to download configuration files that include the list of targeted banks. Furthermore, charges have been made against Andrey Ghinkul, aka Andrei Ghincul and Smilex, the Moldovan administrator of the botnet.
Taking down cybercriminals is no small feat. Tracking down and shutting down cybercrime operations requires the constant collaboration of researchers and law enforcement agencies, each providing their own expertise. The takedown of the command-and-control (C&C) network used by the banking malware DRIDEX is the latest example of that partnership’s success.
What sets DRIDEX apart?
DRIDEX has slowly been making a name for itself this past year and has been viewed as the successor to the Gameover Zeus (GoZ) malware. Its prevalence in the threat landscape can be attributed to its business model, P2P (peer-to-peer) architecture, and unique routines.
Unlike other malware, DRIDEX operates using the BaaS (Botnet-as-a Service) business model. It runs several bot networks, each identified by a number and each containing a specific set of target banks. Our investigation revealed that its target banks mostly come from the US and Europe (particularly Romania, France, and the UK). Feedback provided by the Trend Micro™ Smart Protection Network™ in the last three months show that users in the US and the UK accounted for more than 35% of DRIDEX infections.
Figure 1. Breakdown of affected countries, from July – October 1, 2015
The P2P architecture of DRIDEX was built as an improved version of GoZ’s architecture. Learning from the GoZ takedown, creators of DRIDEX added a another layer in its architecture before the command-and-control (C&C) server.
Apart from these, DRIDEX is also equipped to remove or hide tracks in the system. Similar to the Chthonic variant of ZBOT, it uses an invisible persistence technique which involves writing autostart reg key upon system shutdown and deleting autostart reg key upon system startup. However, only DRIDEX cleans up the stored configuration in the registry and changes the malware copy location.
DRIDEX is easily spread using malicious email attachment, usually Microsoft Office documents that contain macros. The use of macros could be seen as one way of ensuring a higher chance of successful attacks. Macros are commonly used in automated and interactive documents. The feature is usually deactivated by default, but if it was already enabled prior to the attack, the attack commences without any additional requirements. Otherwise, the attack must use a strong social engineering lure in order to convince the user to enable the feature. Furthermore, we found that the macro code contains garbage and useless code. This poses additional challenges for detection.
What does the DRIDEX malware do?
DRIDEX is a family of online banking malware that has been plaguing users since July 2014. Since then, it has been a frequent fixture in our quarterly threat roundup, making regular appearances in the most frequently found online banking malware families.DRIDEX is a notorious malware family that steals the user’s login credentials if they visit targeted banking sites. It can steal information by taking screenshots and grabbing information from form fields. One notable information theft routine performed by DRIDEX is the use of HTML injections—wherein malicious code is injected into certain webpages. Once the user inputs the login credentials into the altered webpage, the information is sent to the cybercriminals.
Stealing login credentials and other personal information is only half of the story. The stolen data can then be sold to the cybercriminal underground. The money stolen from the victimized users’ accounts may also be used to fund more cybercriminal activities.
How can you address DRIDEX?
While the takedown of the C&C servers now prevents DRIDEX from executing malicious activities, total cleanup still requires users to ensure that DRIDEX has been removed from their systems.
Trend Micro, through the Smart Protection Network, protects users from DRIDEX. Our Web Reputation Service, which tracks the credibility and safety of web domains, blocks access to malicious URLs. The Email Reputation Service scans emails and blocks those that contain spam-like and malicious content, including links and attachments. Meanwhile, our File Reputation Service checks the reputation of files against our database and flags those that contain malicious and suspicious behavior.
Trend Micro products already detect the unique samples of DRIDEX malware that we have obtained. We detect DRIDEX as a malicious executable in 32- and 64-bit systems. The detections are under various detection names, such as:
- BKDR_DRIDEX
- TROJ_DRIDEX
- TSPY_DRIDEX
- TSPY64_DRIDEX
For non-Trend Micro users, our free online scanner HouseCall is also able to detect and remediate this threat as well.
Working with law enforcement is a key part of Trend Micro’s strategy to help eradicate cybercrime across the globe. This is only the latest in our successful efforts to work with law enforcement; earlier this year we helped provide information that took down the SIMDA botnet. Successes like these strengthen our resolve to move forward and help bring down more cybercriminal networks and make the Internet safer for everyone.
With additional insights by Michael Marcos and Rhena Inocencio.
Updated on October 13, 2015 9:20 P.M. PDT (UTC-7) to clarify details on the location of C&C servers taken down
