In light of recent news about Dridex takedown, AnubisNetworks Labs team would like to take this opportunity to share with the community some of the efforts undertaken during this investigation led by the NCA, with our participation, to track this malware and exploit its communication channels.
In March 2015, AnubisNetworks Labs team started analyzing multiple malware samples of the Dridex family which ultimately led to running a fake node inside Dridex botnets.
Dridex has been around since November 2014 and it is an evolution of the malware families known as Bugat, Geodo, Feodo and Cridex. The malware is distributed via email, with a malicious Microsoft Word document as attachment which, once opened, downloads a second stage payload that infects the system.
Primarily targeting homebanking users, it is a malware with various capabilities including man in the browser, keylogger, proxy and VNC. It features a peer-to-peer (P2P) network and uses cryptography on its communication channels.
P2P Network structure of Dridex
Dridex botmasters are very active, launching new campaigns against different geographies, hardening the botnet infrastructure with new countermeasures and command and control systems on a regular basis.
This research allowed AnubisNetworks to gain significant knowledge about this botnet and modus operandis including an in-depth understating of how:
1. Dridex deploys a hybrid peer-to-peer network with different layers in order to achieve resilience against a takedown;
2. Dridex ecosystem is constituted by a small number of independent botnets, that have different geographies and financial institutions as targets;
3. Dridex is currently being used to obtain credentials from a large number of online services including several banking services of multiple countries;
4. By reversing the Dridex communication protocols, we were able to deploy a rogue node that can eavesdrop on botnet communications between bots and supernodes (admin_nodes), enumerate bots and map the infection dispersion of the botnets.
With this post, we provide a full report that describes in detail the communication channels of the Dridex malware once it’s up and running on the infected systems, namely its P2P network, encryption methods and associated C2 infrastructure. Our intent was to focus on how the malware communicates with their command and control and to map possible vulnerabilities on the protocols it uses to support monitoring capabilities.
During our analysis we have detected several vulnerabilities in the Dridex P2P protocols that could be used to achieve the following:
- Identify infected systems remotely;
- Obtain data exfiltrated from infected machines.