Dridex botnet alive and well, now also spreading ransomware

Last October’s disruption of the Dridex botnet by UK and US law enforcement agencies and the arrest of a Moldovan bot master have not lead to the death of the botnet.

That’s because the botnet is segregated into a number of subnets, each likely operated by a different team of attackers, and they continue to mount campaigns that will swell the number of infected machines and to exploit the stolen banking information.

Dridex botnet

“Dridex‚Äôs operators are quite professional in their approach, usually following a Monday to Friday working week. The malware is continually refined and some degree of effort is applied to its spam campaigns in order to make them appear as authentic as possible,” Symantec researchers pointed out in a recently released whitepaper.

“Interestingly, Dridex largely ceased operations on December 24, 2015 and resumed again on January 6, 2016. The attackers appeared to have taken an extended break over the holiday period, much like any other professional organization would do.”

They believe its likely that, barring a comprehensive takedown, the group(s) behind the botnet will continue to pose a threat throughout 2016 – if they can keep others from messing with it.

All in all, the October 2015 takedown operation had little impact on Dridex infections, as key elements of the operation are still running.

In fact, one of the subnets – 220 – seems to have temporarily switched to sending out spam email delivering the Bartallex downloader, which then downloads the Locky crypto ransomware.

Palo Alto Networks researchers suspect “there is a link between the Dridex botnet affiliate 220 and Locky due to similar styles of distribution, overlapping filenames, and an absence of campaigns from this particularly aggressive affiliate coinciding with the initial emergence of Locky.”

Spamming campaigns aimed at delivering the Dridex banking Trojan are many and massive – many millions of emails are sent out per day.

“Almost three quarters of Dridex spam campaigns used real company names in the sender address and frequently in the email text. The vast majority of spam campaigns were disguised as financial emails, e.g. invoices, receipts, and orders,” Symantec researchers explained.

The criminals mainly target English-speaking regions. Dridex is capable of stealing banking details of customers of nearly 300 financial institutions in wealthy countries, mostly the US, European and several Asia-Pacific countries.