The United States Department of Homeland Security (DHS), in collaboration with the Federal Bureau of Investigation (FBI) and the Department of Justice (DOJ), has disrupted a malware, which was designed to steal banking and other credentials from infected computers-botnet, dubbed Dridex, a peer-to-peer (P2P) that uses a decentralized network infrastructure of compromised personal computers and web servers to execute command-and-control (C2).
Similarly, charges have been filed in the Western District of Pennsylvania against the alleged Moldovan administrator of the botnet known as “Bugat,” “Cridex” or “Dridex.”
Andrey Ghinkul, aka Andrei Ghincul and Smilex, 30, of Moldova, was charged in a nine-count indictment unsealed in the Western District of Pennsylvania with criminal conspiracy, unauthorized computer access with intent to defraud, damaging a computer, wire fraud and bank fraud.
Ghinkul was arrested on Aug. 28, 2015 in Cyprus.
On February 13 the FBI released a technical alert to provide further information about the Dridex botnet cripple.
The FBI estimates the U.S. businesses have lost $10m to Dridex and has accused Ghinkul and fellow gang members of transferring over $3.5m during two transactions in 2012 from Penneco Oil’s US bank account to a bank account in Russia.
“Dridex is a multifunctional malware package that leverages obfuscated macros in Microsoft Office and extensible markup language (XML) files to infect systems. It aims to infect computers, steal credentials, and obtain money from victims’ bank accounts,” the FBI officials said in the announcement.
The malware had infected some 27 nations, including the US, Canada, UK, Ireland, France, Switzerland, Germany, Norway, Austria, Netherlands, Italy, Belgium, Croatia, Bulgaria, and Romania, United Arab Emirates, Qatar, Israel, Indonesia, Singapore, Malaysia, Hong Kong, China, India, Vietnam, Australia, and New Zealand.
“Operating primarily as a banking Trojan, Dridex is generally distributed through phishing email messages. The emails appear legitimate and are carefully crafted to entice the victim to click on a hyperlink or to open a malicious attached file. Once a computer has been infected, Dridex is capable of stealing user credentials through the use of surreptitious keystroke logging and web injects,” they added.
It is said that a computer which has been infected with Dridex, may be employed to send spam, participate in distributed denial-of-service (DDoS) attacks, and harvest users’ credentials for online services, including banking services.
In a bid to to remediate Dridex infections, the users are suggested to use and maintain anti-virus software, change their passwords, keep your operating system and application software up-to-date and use anti-malware tools.