UK, US law enforcement agencies disrupt Dridex botnet

The UK’s National Crime Agency is spearheading an onslaught against the Dridex (aka Bugat, aka Cridex) banking malware and the criminals that wield it.

“Dridex malware, also known as Bugat and Cridex, has been developed by technically skilled cyber criminals in Eastern Europe to harvest online banking details, which are then exploited to steal money from individuals and businesses around the world,” the agency explained. “Global financial institutions and a variety of different payment systems have been particularly targeted, with UK losses estimated at £20m. The NCA assesses there could be thousands of infected computers in the UK, the majority being Windows users.”

Dridex is usually delivered to potential victims via email, masquerading as seemingly innocuous documents and links. Once the user is tricked into opening the document or clicking on the ling and, consequently, installing the malware, it waits in the background and springs into action when the user decides to do some online banking. It logs keystrokes and injects phishing forms in legitimate banking sites, and sends the stolen information to the C&C server(s) controlled by the criminals.

The NCA, Europol’s European Cybercrime Centre (EC3), the US FBI and other law enforcement agencies and key private partners are also set on sinkholing the malware and stop it communicating with the cyber crooks that control the botnet into which the infected computers have been roped.

The FBI has also announced that charges have been filed against Andrey Ghinkul, aka Andrei Ghincu, a Moldovan administrator of the botnet. Ghinkul was arrested in August in Cyprus, and is yet to be extradited to the US. The FBI estimates that at least $10 million have been stolen from US citizens and entities with the Dridex malware.

“Actions taken by the UK and the US substantially disrupted the botnet,” the FBI stated.

US-CERT has issued an alert about the malware, and has offered advice on how users can check whether they are infected, what to do if they are, and how to prevent future infections.

NCA’s National Cyber Crime Unit (NCCU) has initiated remediation activity to safeguard victims.

It’s hard for users to notice a Dridex infection. The malware is good at hiding from security solutions, and the criminals wielding it are not too greedy – they prefer stealing small amounts of money from each compromised account so that the theft doesn’t get noticed soon. Still, little by little, they amassed a huge amount of money.