Goodbye #Dridex, good riddance #Locky

The Past

We will no doubt shortly see some official word on the 'takedown' of Dridex and/or Locky, it has been widely reported that the lack of daily spam campaigns indicates its disappearance is linked to the FSB operation. Its widely known that the FSB only get involved in cyber criminal activity when there is significant international pressure to investigate. 

It's difficult not to draw logical conclusions on the timings of the two operations and subsequent disappearance of Dridex/Locky but its unlikely that Russia would be directly involved in a 'takedown' operation of a significant botnet which was responsible for the theft of money from banking institutions.

During the period from mid-2015 to the present day, 18 targeted attacks have been recorded across the country at bank customers’ automated workstations. The damage caused has exceeded 3 billion rubles. The police have prevented potential damage in the amount of 2 billion 273 million rubles.
— https://xn--80agyg.xn--b1aew.xn--p1ai/news/item/7894434/

FSB & MIA worked with Sberbank to conduct this operation and the reports from Russian intelligence indicate around  2.2 billion rubles where lost between October 2015 to March 2016 which ironically is the same time of the Smilex arrest who at the time was in Cyprus, originally from Moldova.

The Present

  • Vawtrak/Hancitor/H1N1
  • Vawtrak = Banking Trojan AKA Neverquest
  • Hancitor = Dropper, usually by a Macro 
  • H1N1 = Loader, with UAC bypass  (With some additional checks for GetCurrentProcess, and a nice crash) - Thanks to the genius' on KernelMode

Identifying Hancitor was done by post infection in my lab -  Thanks to Matt as ever.



 

Really great overview here from Proofpoint and a sample here