US-CERT published an advisory today regarding the Dridex banking Trojan following a massive resurgence of the malware over the past few weeks as part of a large phishing campaign.
Dridex is an evolution of an increasingly sophisticated family of malware focused on stealing banking credentials. This particular strain of bank credential-stealing malware was first seen one year ago and has quickly become increasingly sophisticated, with the ability to evade anti-virus and peer-to-peer capability.
The malware exploits systems to send out spam/phishing emails with infected attachments (macros in Word) to compromise more systems, as well as its primary function of stealing banking credentials on compromised systems.
The malware was used in a massive phishing campaign mostly targeting the UK over the past few weeks. The National Crime Agency in the UK have been working with US law enforcement and other partners to bring the botnet created by the malware down. However, not before the criminals operating in Eastern Europe have netted over $40 million from UK ($30M) and US ($10M) victims.
At least one significant arrest has been made in this case – Andrey Ghinkul from Moldova who is believed to be the administrator of the botnet was arrested in Cyprus this past August, with possibly more arrests to follow.
The US and UK were able to not only arrest Ghinkul but also disrupt the botnet itself by targeting the peer-to-peer operations of the malware using a sinkhole.
“Through a technical disruption and criminal indictment, we have struck a blow to one of the most pernicious malware threats in the world,” said U.S. Attorney Hickton.