Threat Management, Malware

Dridex botnet disrupted in global effort, U.S. charges Moldovan man

The Dridex botnet – also known as Bugat and Cridex – has been significantly disrupted as part of a global operation, and a 30-year-old Moldovan man has been charged in the Western District of Pennsylvania with being an administrator, the Justice Department announced on Tuesday.

The U.S. is currently seeking the extradition of Andrey Ghinkul – also known as Andrei Ghincul and Smilex – following his Aug. 28 arrest in Cyprus. He is charged in a nine-count indictment with criminal conspiracy, unauthorized computer access with intent to defraud, damaging a computer, wire fraud and bank fraud.

Dridex is malware perhaps best known for stealing banking and other credentials. The FBI disrupted the botnet and made the arrest along with help from the UK's National Crime Agency (NCA), Europol's EC3, the Dell SecureWorks Counter Threat Unit (CTU), and several other organizations and security vendors.

“The indictment alleges that Ghinkul and his co-conspirators used the malware to steal banking credentials and then, using the stolen credentials, to initiate fraudulent electronic funds transfers of millions of dollars from the victims' bank accounts into the accounts of money mules, who further transferred the stolen funds to other members of the conspiracy,” a release said.

According to a Tuesday Dell SecureWorks post, the botnet has been tied to losses of about $30.5 million in the UK and at least $10 million in the U.S. The malware has been observed spreading through spam emails containing malicious attachments.

Dell SecureWorks explained in the post how its team helped take down the Dridex botnet.

“In collaboration with the NCA, the FBI, and the Shadowserver Foundation, CTU researchers developed and executed a technical strategy to take over the Dridex botnet by poisoning each sub-botnet's P2P network and redirecting infected systems to a sinkhole,” the Dell SecureWorks post said.

The Dridex botnet really took off after the infamous Gameover Zeus botnet was disrupted in May 2014 as part of an international takedown, the Dell SecureWorks post said, noting that Dridex never quite reached the same success as Gameover Zeus.

In a Tuesday Trend Micro post, the security firm – who said they worked with law enforcement as part of the Dridex takedown – provided a breakdown of Dridex infections over the last three months. Nearly 20 percent of infections were in the U.S., about 16 percent were in the UK, and more than 10 percent were in Japan.

According to reports, Dridex may have infected as many as 125,000 computers per year, and attackers sent out as many as 350,000 Dridex-laced spam emails per day.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.