The operation saw a 30-year-old Moldovan man charged by prosecutors in the US for offences including criminal conspiracy, unauthorized computer access with intent to defraud, damaging a computer, wire fraud, and bank fraud. His extradition to the US is being sought following his arrest in Cyprus in August.
The FBI also obtained an injunction to start sinkholing Dridex infections, by redirecting traffic from infected computers away from command-and-control (C&C) servers to benign substitute servers. The NCA supports the operation.
This is the latest in a series of recent takedowns against major financial fraud cybercrime groups, following earlier operations against Gameover Zeus, Shylock, and Ramnit.
The group, reportedly operating out of Eastern Europe, used Dridex malware to harvest banking credentials from individuals and businesses around the world, with the US, Japan and Germany sustaining the highest number of infections, followed closely by the UK, Canada and Australia.
Dridex is one of many known financial Trojans. While Symantec observed a 53 percent decline in financial Trojans in 2014 — largely due to takedowns and arrests — attackers continue to shift to new platforms to reach their targets. Notably:
- The nine most targeted financial institutions were attacked with over 40 percent of Trojans
- Stolen bank accounts often sell for 5-10 percent of their balance value on the black market
Dridex is detected by Symantec as W32.Cridex and also known as Bugat. It is a financial threat which adds the infected computer to a botnet and injects itself into the victim’s web browser in order to steal information, including banking credentials.
The malware is spread via phishing emails designed to appear to come from legitimate sources in order to lure the victim into opening a malicious attachment. It is also capable of self-replication by copying itself to mapped network drives and attached local storage such as USB keys. As is common with most financial attackers, the Dridex group regularly changed its tactics and most recently has been observed using malicious macros in Microsoft Office documents attached to emails to infect its victims.
As reported in Symantec’s State of financial Trojans 2014 whitepaper, Dridex was the third largest financial threat last year, accounting for some 29,000 detections. Nevertheless, this represented a decrease, with the number of infections down 88 percent since 2012.
Recent telemetry suggests a resurgence in activity, with detections beginning to increase again in recent months.
The attackers behind Dridex have targeted a broad range of countries. The largest number of detections in 2015 was in the US. This was followed by Japan and Germany, with significant numbers of infections also seen in the UK, Canada, Australia and a number of other European countries.