#Dridex and the new Botnet ID

The FBI & the NCA published a report on the investigation into the recent takedown of what is known by those familiar with Dridex as Botnet 220.

For 12+ months we've tracked Dridex and the associated botnets, including 220 and 125. Ghinkul was arrested in Cyprus where in some stages of the botnets progression the conspicuous absence of any Cypriot banks was notable. 

I believe there are also links to Turkey in the Dridex botnets, with Turkish banking institutions being absent in most campaigns too.

A recent edition to the botnets configuration was the bank Coutts Interestingly, targeting not only the traditional banking institutions, but wealth management organisations.

Botnet 301 arrived around mid October and looks like it has replaced 220, or at least steps into its place. The large spam campaigns are still being delivered by the Microsoft Word Intruder kit.

Here is the decoded config from a recent campaign.

<config botnet="301"> <server_list> </server_list> </config>

I use IDR to work out the PE functions

The continuation of the spam campaigns is captured on an almost daily basis by great twitter commentators such as  @techhelplistcom, @conradlongmore @benkow_ @James_MHT all of which are prompt in the analysis and publish the IOC's required to block the almost inevitable infections.

The botnet is here to stay for a while, for a number of reasons

  • The MWI kit is still for sale
  • The Dridex payloads are still for sale
  • The 10k runs are still for sale

What can you do in the meantime to protect your users are some simple steps, you don't always  need to spend thousands on deploying perimeter security.

  1. Disable macros if you absolutely must enable them, use a trusted network location.
  2. Disable PowerShell or at least enforce a GP to ensure signed scripts run and block vbc.cmd via application blacklisting unless you're using scripts to manage network drives and manage logins, you can at least log what is being run on the endpoint and whitelist the acceptable scripts.
  3. DO use UAC to pop up and force a user to accept the prompt  request, DO NOT disable the splash prompt.
  4. Educate your users what Dridex is capable of, don't wait for the national news to tell them.
  5. Use Cuckoo Sandbox in conjunction with your mail domain, its simple to configure and can match some commercial sandboxes for capabilities.
  6. Use Microsoft Device Guard at least for Windows 10 which is a code integrity application.