Dridex back on the radar after takedown

News by Rene Millman

Combined might of FBI, Europol and NCA not enough to prevent malware re-emerging. Time to take a more proactive approach to intelligence, says Lord Jonathan Evans.

Dridex has managed to come back to plague banks despite the best efforts of law enforcement to take down a command and control server.

As reported by SCMagazineUK.com a couple of days ago, Europol's European Cybercrime Centre (EC3) – working with the UK's National Crime Agency (NCA) and the US Federal Bureau of Investigation (FBI) – made moves to “sinkhole” the malware by disrupting communications between its botnet of computers and the command and control server.

But 48 hours later, a new email campaign distributing the Dridex variant was discovered by researchers at IT security firm Proofpoint.

“On further examination, it appears to be the variant communicating with the '220' C&C network, aka 'Dridex 220',” said Kevin Epstein, vice president of threat operations at Proofpoint. “The initial campaign was significantly smaller than campaigns of the last weeks – only about 10 percent of their size – potentially indicating that attackers are still testing the stability of their control over that C&C network.  The majority of this initial attack was focused on targets in the UK.”

He added that it is not clear that Dridex had ever “left”. He added that while there was what appears to have been a brief disruption in the '220' command and control network, it does not appear that the email distribution (phish-sending) botnet was impacted, nor other C&C networks, nor the Dridex malware itself. 

“Since Dridex has been a successful tool for attackers to steal credentials for banking, CRM, supply chain, and intellectual property repositories, it seems likely that attackers will keep using it.”

Dridex has its origins in Eastern Europe. Evil Corp is the name of the Eastern European criminal gang that many believe is behind Dridex.

It is estimated that the malware has netted $40 million worldwide. According to the FBI, the group operates out of Russia and Moldova and was also responsible for Gameover Zeus. Evil Corp itself is a spin-off of another cyber-crime gang called Business Club.

Dridex first appeared in the UK before moving onto mainland Europe and the US. IT has targeted 25 countries to date. An investigation into the malware kicked into gear earlier this year

The news comes as a former MI5 chief called on banks to gather intelligence from the dark web in order to combat the growing threats from hackers and malware such as Dridex.

Speaking at the Good Exchange Cybersecurity Summit, the former head of MI5, Lord Jonathan Evans, said that there was a lack of “forward awareness” among banks about the activities of hackers and particularly the Dridex malware.

Lord Evans, who now serves as a non-executive director at HSBC said financial institutions should invest more in intelligence capabilities.

He told delegates at the conference that some banks had “really invested in their intelligence capabilities – both on their own networks and also in a much more forward-leaning approach to understanding what's happening on hacker sites in terms of developing capabilities.”

“Certainly giving yourself that forward awareness so that you're not waiting to see what arrives, you are out there trying to find out what might arrive, I think is quite a game changer,” he told the IB Times.

He added that intelligence was an area where banks still had a “lot of work to do” and this needed more maturity in systems in order to achieve this.

“It can be quite difficult for some companies to do that,” Lord Evans added.

Max Vetter, cyber security training consultant at QA, told SC that dark web intelligence, investigation and analysis is vital for any company looking to protect itself against cyber-attacks.

“This is where the hackers will congregate to share advice, sell newly identified vulnerabilities to systems (called zero-day vulnerabilities), sell new malware that has been created or to sell stolen credentials or data from hacks that have already been successful,” he said. “Having a good understanding of the forums where this data is shared and sold is essential for any business that wishes to have a chance at forewarning breaches or identifying new malware that is being developed before it can be used to attack a company's network."

With Dridex back in the frame, Privitar's CEO Jason du Preez told SC that cyber-security is a “cat and mouse game”.

“Every time better security systems are built, hackers step up their game and find new ways to beat them. Even the most secure systems can become vulnerable, which is why taking a data-centric approach to security is essential. By making the data worthless to a hacker, you remove the incentive altogether,” du Preez said.

Organisations should be careful monitoring the crime gangs behind Dridex and its variants, Adam Tyler, chief innovation officer at CSID, told SC.

If this is not done in a secure and careful way then there is always the possibility the activities could be tied back to the entity running the monitoring project. “If a malicious group or party were aware they were being monitored then it could lead to either retaliation attempts (attacks, DDoS, etc.) or the distribution of fake information in order to confuse investigators,” he said.

Catalin Cosoi, chief security strategist at Bitdefender, told SC that to anticipate the return of “dead” malware requires banks to learn to anticipate hackers' next steps. “It implies shifting from a reactive approach to a proactive one. Banks and other organisations should invest in their own intelligence and constantly collaborate with members of the security industry to learn more about the evolving threat landscape,” he said.

Fraser Kyne, principal systems engineer at Bromium, told SC that having organisations take on the job of monitoring the bad guys raised a few points of concern.

“The kind of time, resources and expertise of this endeavour – and therefore the cost – may be out of the reach of many businesses. There's also the issue of working out the difference between signal and noise when assessing potential future threats,” he said.

 Kyne added that as well as being proactive by looking externally, organisations need their systems to be more resilient to attack. “Modern technology innovations around isolation enable us to defend ourselves from threats by design, rather than having to identify them first (either reactively or proactively),” he said.

Jonathan Martin, ThreatStream's international operations director, believes the sophistication levels of threats such as Dridex are so high that this is extremely difficult to stop.

“It's more about mitigating the effect of the attack,” he told SC. “By reducing the effectiveness of the breach, by cutting off the supply lines back out of the organisation to the attackers, this necessitates them to re-develop different modes of attack – this of course takes time and effort, making them much more likely to look for other targets.”

Martin added that the first step any piece of malware will take is call home for instructions – this is the ideal time to identify it. Introducing multiple, varied threat intelligence streams into security log monitoring tools means that as soon as that communication is made, it can be identified.

“Whatever method is used to talk to the command and control (C&C) site, that traffic will be logged. A simple correlation of this traffic with lists of known bad sites reveals that communication, enabling the analyst to put into place the necessary remediation action plan,” said Martin.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews