Once word circulated of the arrest of a Moldovan man allegedly connected with the development and distribution of the Dridex banking malware, it was a matter of time before the operation was put out of business for good.
The FBI, Department of Justice, the U.K.’s National Crime Agency and a number of other European law enforcement and technology companies on Tuesday announced a joint effort to take down the computing infrastructure supporting Dridex, also known as Bugat and Cridex.
U.S. law enforcement officials allege that Andrey Ghinkul, also known by the handle Smilex, was responsible for $10 million in losses, while U.K. law enforcement put estimates there at £20M (nearly $31M USD).
According to a Justice Department release, Ghinkul led a team that used Dridex to infect computers worldwide in order to steal credentials for online bank accounts. Those stolen passwords were then used to fraudulently transfer funds from victimized accounts to money mules who laundered the money for the criminals, the DOJ said.
Penneco Oil, an energy company in Pennsylvania, was especially targeted by this criminal gang, the DOJ and FBI allege. Phishing emails sent to a single Penneco employee resulted in three separate fraudulent transfers totaling more than $3.6 million from an account at the First Commonwealth Bank to accounts in Krasnodar, Russia, and Minsk, Belarus. They also tried to move $999,000 from the Sharon, Pa., City School District from First Commonwealth Bank to an account in Kiev in the Ukraine.
“The steps announced today are another example of our global and innovative approach to combatting cybercrime,” said Assistant Attorney General Leslie R. Caldwell. “Our relationships with counterparts all around the world are helping us go after both malicious hackers and their malware. The Bugat/Dridex botnet, run by criminals in Moldova and elsewhere, harmed American citizens and entities. With our partners here and overseas, we will shut down these cross-border criminal schemes.”
Law enforcement worked with security experts at Dell SecureWorks to take down the peer-to-peer botnet supporting Dridex. Dell said its researchers poisoned sub-botnet’s peer to peer network, and redirected those connections to a controlled sinkhole. About 4,000 active bots targeting the U.K. and France in particular, connected to the sinkhole, Dell said.
Dridex was a dangerous malware family that was spread primarily via phishing and spam campaigns. The phishing emails were often laced with Microsoft Word and other Office documents that are spiked with macros that, once enabled, establish a backdoor connection that downloads Dridex.
Dridex really surged earlier this year, peaking at almost 100,000 Dridex-related emails daily in January, said researchers at Palo Alto Networks. From the end of August shortly before Ghinkul’s arrest to this month, Dridex activity had been close to nil.
“Cyber criminals often reach across international borders, but this operation demonstrates our determination to shut them down no matter where they are,” said Executive Assistant Director Robert Anderson Jr. of the FBI’s Criminal, Cyber, Response and Services Branch.