Dell, FBI and NCA bring down botnet behind £20m cyber bank heist

Malware-slinging Dridex servers seized, while one arrest has been made

A pernicious malware botnet involved in the theft of 20 million from UK bank accounts has been taken down by Dell SecureWorks, the FBI, the UK National Crime Agency (NCA), and the Shadowserver Foundation.

Known as Dridex, the banking Trojan is spread through email attachments. In the past this involved an infection embedded in the attachment that would exploit vulnerabilities in the user's operating system, but recent analysis by the Dell SecureWorks Counter Threat Unit (CTU) found Dridex was being spread by macros in Microsoft Word documents, which were also delivered as attachments.

The NCA estimates that at least 20 million has been stolen by the operators of the botnet from UK bank accounts alone, with France also heavily targeted. In the US, the figure is thought to be about $10 million (6.5 million).

With the help of the NCA, FBI and Shadowserver Foundation, Dell CTU developed a strategy to poison Dridex's extensive botnet, redirecting the infected systems to a "sinkhole".

One of Dridex's so-called sub-botnets, number 220, consisted of around 4,000 bots. To put this in context, 220 is just one of 13 sub-botnets discovered so far by the researchers.

Brett Stone-Gross, one of the members of Dell SecureWorks CTU, said: "The takedown of the Gameover Zeus botnet in June 2014 as part of Operation Tovar left a void in the cybercriminal community, particularly for those targeting financial institutions."

"To fill this gap, threat actors created new botnets, including Dridex and Dyre. CTU researchers have observed a significant overlap in the tactics, techniques, and procedures (TTPs) between Gameover Zeus and bothDridex and Dyre, indicating that previous affiliates had moved on to new botnet business ventures and were continuing to carry out their fraudulent activities," he added.

Europol, GCHQ and the Moldovan authorities have also announced a "significant arrest" resulting from the disruption of Dridex, with more expected to follow. The 30-year-old man arrested was wanted by the US.

Candid Wueest, a threat researcher with Symantec, noted: "Take-downs of this kind have directly contributed to a slow-down in use of financial Trojans. Despite the criminals' best efforts, financial Trojan infections decreased by 35 percent in 2014, thanks in part to the efforts of different law enforcement agencies in cooperation with the security industry."

However, Wueest added: "It is clear that these operations have had some success but cutting off one head of the Hydra won't kill it. Whilst largescale operations and collaboration needs to continue, consumers and businesses can help armour themselves against these threats."

Featured Resources

Five lessons learned from the pivot to a distributed workforce

Delivering continuity and scale with a remote work strategy

Download now

Connected experiences in a digital transformation

Enable businesses to meet the demands of the future

Download now

Simplify to secure

Reduce complexity by integrating your security ecosystem

Download now

Enhance the safety and security of your people, assets and operations

Enable a true vision of security with an engineered solution based on hyperconverged and storage platforms

Download now

Recommended

'NetWalker' ransomware explodes thanks to 'as a service' expansion
ransomware

'NetWalker' ransomware explodes thanks to 'as a service' expansion

4 Sep 2020
Malware attacks using machine identities doubled in 2019
cyber security

Malware attacks using machine identities doubled in 2019

4 Aug 2020
Over two dozen Android apps found stealing user data
Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020
Best antivirus for Windows 10
antivirus

Best antivirus for Windows 10

30 Jun 2020

Most Popular

Accenture ploughs $3 billion into cloud migration support group
digital transformation

Accenture ploughs $3 billion into cloud migration support group

17 Sep 2020
Google takes on Zoom with launch of Meet hardware
video conferencing

Google takes on Zoom with launch of Meet hardware

16 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020