Dell, FBI and NCA bring down botnet behind £20m cyber bank heist

A pernicious malware botnet involved in the theft of 20 million from UK bank accounts has been taken down by Dell SecureWorks, the FBI, the UK National Crime Agency (NCA), and the Shadowserver Foundation.

Known as Dridex, the banking Trojan is spread through email attachments. In the past this involved an infection embedded in the attachment that would exploit vulnerabilities in the user's operating system, but recent analysis by the Dell SecureWorks Counter Threat Unit (CTU) found Dridex was being spread by macros in Microsoft Word documents, which were also delivered as attachments.

The NCA estimates that at least 20 million has been stolen by the operators of the botnet from UK bank accounts alone, with France also heavily targeted. In the US, the figure is thought to be about $10 million (6.5 million).

With the help of the NCA, FBI and Shadowserver Foundation, Dell CTU developed a strategy to poison Dridex's extensive botnet, redirecting the infected systems to a "sinkhole".

One of Dridex's so-called sub-botnets, number 220, consisted of around 4,000 bots. To put this in context, 220 is just one of 13 sub-botnets discovered so far by the researchers.

Brett Stone-Gross, one of the members of Dell SecureWorks CTU, said: "The takedown of the Gameover Zeus botnet in June 2014 as part of Operation Tovar left a void in the cybercriminal community, particularly for those targeting financial institutions."

"To fill this gap, threat actors created new botnets, including Dridex and Dyre. CTU researchers have observed a significant overlap in the tactics, techniques, and procedures (TTPs) between Gameover Zeus and bothDridex and Dyre, indicating that previous affiliates had moved on to new botnet business ventures and were continuing to carry out their fraudulent activities," he added.

Europol, GCHQ and the Moldovan authorities have also announced a "significant arrest" resulting from the disruption of Dridex, with more expected to follow. The 30-year-old man arrested was wanted by the US.

Candid Wueest, a threat researcher with Symantec, noted: "Take-downs of this kind have directly contributed to a slow-down in use of financial Trojans. Despite the criminals' best efforts, financial Trojan infections decreased by 35 percent in 2014, thanks in part to the efforts of different law enforcement agencies in cooperation with the security industry."

However, Wueest added: "It is clear that these operations have had some success but cutting off one head of the Hydra won't kill it. Whilst largescale operations and collaboration needs to continue, consumers and businesses can help armour themselves against these threats."

Jane McCallion
Deputy Editor

Jane McCallion is ITPro's deputy editor, specializing in cloud computing, cyber security, data centers and enterprise IT infrastructure. Before becoming Deputy Editor, she held the role of Features Editor, managing a pool of freelance and internal writers, while continuing to specialise in enterprise IT infrastructure, and business strategy.

Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.