Dridex has managed to come back to plague banks despite the best efforts of law enforcement to take down a command and control server.
As reported by SCMagazineUK.com a couple of days ago, Europol's European Cybercrime Centre (EC3) – working with the UK's National Crime Agency (NCA) and the US Federal Bureau of Investigation (FBI) – made moves to “sinkhole” the malware by disrupting communications between its botnet of computers and the command and control server.
But 48 hours later, a new email campaign distributing the Dridex variant was discovered by researchers at IT security firm Proofpoint.
“On further examination, it appears to be the variant communicating with the '220' C&C network, aka 'Dridex 220',” said Kevin Epstein, vice president of threat operations at Proofpoint. “The initial campaign was significantly smaller than campaigns of the last weeks – only about 10 percent of their size – potentially indicating that attackers are still testing the stability of their control over that C&C network. The majority of this initial attack was focused on targets in the UK.”
He added that it is not clear that Dridex had ever “left”. He added that while there was what appears to have been a brief disruption in the '220' command and control network, it does not appear that the email distribution (phish-sending) botnet was impacted, nor other C&C networks, nor the Dridex malware itself.
“Since Dridex has been a successful tool for attackers to steal credentials for banking, CRM, supply chain, and intellectual property repositories, it seems likely that attackers will keep using it.”
Dridex has its origins in Eastern Europe. Evil Corp is the name of the Eastern European criminal gang that many believe is behind Dridex.
It is estimated that the malware has netted $40 million worldwide. According to the FBI, the group operates out of Russia and Moldova and was also responsible for Gameover Zeus. Evil Corp itself is a spin-off of another cyber-crime gang called Business Club.
Dridex first appeared in the UK before moving onto mainland Europe and the US. IT has targeted 25 countries to date. An investigation into the malware kicked into gear earlier this year
The news comes as a former MI5 chief called on banks to gather intelligence from the dark web in order to combat the growing threats from hackers and malware such as Dridex.
Speaking at the Good Exchange Cybersecurity Summit, the former head of MI5, Lord Jonathan Evans, said that there was a lack of “forward awareness” among banks about the activities of hackers and particularly the Dridex malware.
Lord Evans, who now serves as a non-executive director at HSBC said financial institutions should invest more in intelligence capabilities.
He told delegates at the conference that some banks had “really invested in their intelligence capabilities – both on their own networks and also in a much more forward-leaning approach to understanding what's happening on hacker sites in terms of developing capabilities.”
“Certainly giving yourself that forward awareness so that you're not waiting to see what arrives, you are out there trying to find out what might arrive, I think is quite a game changer,” he told the IB Times.
He added that intelligence was an area where banks still had a “lot of work to do” and this needed more maturity in systems in order to achieve this.
“It can be quite difficult for some companies to do that,” Lord Evans added.
Max Vetter, cyber security training consultant at QA, told SC that dark web intelligence, investigation and analysis is vital for any company looking to protect itself against cyber-attacks.
“This is where the hackers will congregate to share advice, sell newly identified vulnerabilities to systems (called zero-day vulnerabilities), sell new malware that has been created or to sell stolen credentials or data from hacks that have already been successful,” he said. “Having a good understanding of the forums where this data is shared and sold is essential for any business that wishes to have a chance at forewarning breaches or identifying new malware that is being developed before it can be used to attack a company's network."