Introduction
In early September 2015, we started seeing reports about arrests tied to Dridex malware [1, 2]. About that time, we noticed a lack of botnet-based malicious spam (malspam) pushing Dridex malware. During the month of September, Dridex disappeared from our radar. By the beginning of October 2015, malspam pushing Dridex came back [3], and its continued since then.
From what I can tell, Dridex was gone for about a month.
Despite Dridex being back, organizations have still been discussing the Dridex takedown. The most recent wave of reporting happened in mid-October after the US Justice Department (DoJ) published a news release [4]. The DoJ release on Dridex (also known as Bugat or Cridex) reported the botnet administrator had been arrested, and the botnets operations had been substantially disrupted. This news spread as other organizations passed on the information [5, 6, 7, to name a few]. Some of these reports warned that botnets are rarely disrupted for long, and thats certainly been the case with Dridex.
Details
According to the DoJ release, the Dridex botnet administrator was arrested on 2015-08-28 [4]. On 2015-10-01, Palo Alto Networks reported Dridex was back [3]. That represents approximately one month of disruption. Let" />
Shown above: Searching for #Dridex on Virus Total.
This morning (Friday 2015-10-23) when I searched VirusTotal for #Dridex, I found more than 80 comments posted by at least a dozen individuals after the 2015-08-28 arrest. These #Dridex comments covered 28 Word documents, 4 Excel spreadsheets, and 37 Win32 EXE files." />
Shown above: Examples of the #Dridex comments.
I compiled a spreadsheet of the data. Its saved as a .csv file available here. In it, youll find an absence of #Dridex-tagged submissions after 2015-09-02. #Dridex-tagged submissions resumed on 2015-10-01." />
Shown above: Spreadsheet indicates a gap in #Dridex-tagged malware.
The hashtag is a quick way to find files that people have specifically identified as Dridex. Some of the files may have been mistakenly identified, so theres room for error. However, this preliminary analysis backs up what Palo Alto reported [3], and plenty of us are seeing Dridex malspam on a near-daily basis now.
Final words
Dell SecureWorks has a good description of the architecture behindDridex [7]. More recent write-up about Dridex malspam are available from sites like Dynamoos Blog [8] and Techhelplist.com [9]." />
Shown above: Example of Twitter commentary on the recent Dridex takedown (link).
In the past few days, weve received samples of malspam attachments submitted by our readers. Some of these submissions have been malicious Word documents associated with Dridex. As always, handlers at the ISC continue to monitor the cyber landscape, and well keep you up-to-date on any recent trends.
---
Brad Duncan
Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic
References:
[1] http://krebsonsecurity.com/2015/09/arrests-tied-to-citadel-dridex-malware/
[2] https://threatpost.com/alleged-gozi-co-author-pleads-guilty-as-alleged-citadel-dridex-attacers-arrested/114566/
[3] http://researchcenter.paloaltonetworks.com/2015/10/dridex-is-back-and-targeting-the-uk/
[4] http://www.justice.gov/opa/pr/bugat-botnet-administrator-arrested-and-malware-disabled
[5] https://nakedsecurity.sophos.com/2015/10/15/dridex-botnet-taken-down-multi-million-bank-fraud-suspect-arrested/
[6] http://www.theregister.co.uk/2015/10/14/dridex_botnet_takedown/
[7] http://www.secureworks.com/cyber-threat-intelligence/threats/dridex-bugat-v5-botnet-takeover-operation/
[8] http://blog.dynamoo.com/search/label/Dridex
[9] https://techhelplist.com/component/search/Dridex