Dell, FBI and NCA bring down botnet behind £20m cyber bank heist
Malware-slinging Dridex servers seized, while one arrest has been made
A pernicious malware botnet involved in the theft of 20 million from UK bank accounts has been taken down by Dell SecureWorks, the FBI, the UK National Crime Agency (NCA), and the Shadowserver Foundation.
Known as Dridex, the banking Trojan is spread through email attachments. In the past this involved an infection embedded in the attachment that would exploit vulnerabilities in the user's operating system, but recent analysis by the Dell SecureWorks Counter Threat Unit (CTU) found Dridex was being spread by macros in Microsoft Word documents, which were also delivered as attachments.
The NCA estimates that at least 20 million has been stolen by the operators of the botnet from UK bank accounts alone, with France also heavily targeted. In the US, the figure is thought to be about $10 million (6.5 million).
With the help of the NCA, FBI and Shadowserver Foundation, Dell CTU developed a strategy to poison Dridex's extensive botnet, redirecting the infected systems to a "sinkhole".
One of Dridex's so-called sub-botnets, number 220, consisted of around 4,000 bots. To put this in context, 220 is just one of 13 sub-botnets discovered so far by the researchers.
Brett Stone-Gross, one of the members of Dell SecureWorks CTU, said: "The takedown of the Gameover Zeus botnet in June 2014 as part of Operation Tovar left a void in the cybercriminal community, particularly for those targeting financial institutions."
"To fill this gap, threat actors created new botnets, including Dridex and Dyre. CTU researchers have observed a significant overlap in the tactics, techniques, and procedures (TTPs) between Gameover Zeus and bothDridex and Dyre, indicating that previous affiliates had moved on to new botnet business ventures and were continuing to carry out their fraudulent activities," he added.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Europol, GCHQ and the Moldovan authorities have also announced a "significant arrest" resulting from the disruption of Dridex, with more expected to follow. The 30-year-old man arrested was wanted by the US.
Candid Wueest, a threat researcher with Symantec, noted: "Take-downs of this kind have directly contributed to a slow-down in use of financial Trojans. Despite the criminals' best efforts, financial Trojan infections decreased by 35 percent in 2014, thanks in part to the efforts of different law enforcement agencies in cooperation with the security industry."
However, Wueest added: "It is clear that these operations have had some success but cutting off one head of the Hydra won't kill it. Whilst largescale operations and collaboration needs to continue, consumers and businesses can help armour themselves against these threats."
Jane McCallion is ITPro's Managing Editor, specializing in data centers and enterprise IT infrastructure. Before becoming Managing Editor, she held the role of Deputy Editor and, prior to that, Features Editor, managing a pool of freelance and internal writers, while continuing to specialize in enterprise IT infrastructure, and business strategy.
Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.