The Dridex banking botnet is continuing to show some signs of life even after a high-profile FBI-led disruption operation earlier this month.
Servers associated with Dridex were seized in a co-ordinated operation on 13 September weeks after a suspect, Moldovan Andrey Ghinkul, was arrested in Cyprus in late August.
But the disruption has fallen short of completely shutting down the elusive botnet, according to antivirus firm Avira.
Avira researchers report that the botnet still appears to be partially operational. “I tested our Botchecker with a sample from yesterday, and I found a first stage node was still responding and delivering the main Dridex component and a list of second stage nodes,” according to Moritz Kroll, a malware researcher at Avira.
As we know from any number of horror film, decapitating zombie networks can be a difficult task, as evidenced by glitches in previous botnet takedown operations (examples here and here). Even though the alleged administrator is in jail and awaiting trial, the Dridex/Bugat botnet may be still alive, according to Avira.
Dridex was focused on stealing sensitive user information and banking credentials but the malware was also used at times for other forms of malfeasance, including running denial of service attacks against targeted websites from infected computers.
The malware used keystroke loggers and web injects to carry out its main function of stealing online banking credentials.
According to a US Department of Justice press release, Ghinkul has been charged (in a nine-count indictment filed in the Western District of Pennsylvania) with criminal conspiracy, unauthorized computer access with intent to defraud, damaging a computer, wire fraud and bank fraud. The US is seeking his extradition.
Moritz Kroll, a malware and botnet specialist at Avira, explained that malicious Word documents are still being distributed as spam emails in attempts to infect new victims with Dridex as part of an ongoing post-takedown campaign.
“We're also seeing that the malware authors regularly release new versions of Dridex,” according to Kroll, who added new versions were seen on 16 and 20 October.
“So as the botnet is answering with new versions of the malware, we're probably not talking to sinkholed nodes,” he added. ®