Dridex Fraud Botnet Disrupted

Several C&C Servers running Dridex banking Trojan have been disrupted by the UK National Crime Agency (NCA) and the U.S. Federal Bureau of Investigation (FBI). This malware have been distributed over spamming messages with different templates.

The spam will include a Microsoft Word macros attached that will download and execute the Dridex loader to install malware components and turn victim machine to be part of the zombie network. Malware components include a loader that contain the initial node to join the botnet, core module for recording the keystrokes typed during navigation, VNC to provide attacker a remote access at anytime and backconnect module to allow attacker use victim machine as a proxy.

US law enforcement and the UK managed to get court permission for disrupting the C&C servers identified during the investigation. Together, they managed to turnoff a large part of the Trojan infrastructure.

Map of Dridex infections for sub-botnet 220. (Source: Dell SecureWorks)

Map of Dridex infections for sub-botnet 220. (Source: Dell SecureWorks)

Also you can find the technical information about this malware on Dell SecureWorks threat analyses article: http://www.secureworks.com/cyber-threat-intelligence/threats/dridex-bugat-v5-botnet-takeover-operation/