eslabón más débil

Whitepaper
Analysis of Latest Dridex Campaign Reveals
Worrisome Changes and Hints at New Threat
Actor Involvement
En el informe del instituto Ponemon “2015 Cost of Cyber Crime Study:-
Global” se ha cifrado el coste medio del ciberfraude para una compañía
en 7,7 millones de dólares lo que sigue poniendo de manifiesto
el imparable crecimiento de este negocio en los últimos años.
Además también se concluye que el sector financiero vuelve a ser el sector
más afectado por estos ataques situándose en casi 13,5 millones de
dólares de pérdidas de media por compañía. Esta conocida tendencia al
alza en el cibercrimen es el origen de un incremento en la inversión en
seguridad por parte de las compañías. Sin embargo esta mayor inversión
no logra frenar a los ciberdelincuentes ¿por qué el resultado de esta inversión
no es directamente proporcional al descenso de las pérdidas?
La respuesta a esta pregunta se sustenta en dos pilares:
• Las amenazas son más avanzadas y el paradigma de la seguridad
ha cambiado de modo que las soluciones convencionales basadas
en firmas o ataques conocidos sobre activos tecnológicos de la compañía
no son suficientes, es necesaria una capa adicional de protección
• Los ataques contra entidades financieras se han dirigido
al compromiso del usuario final. Casi el 98% de las compañías
reconoce haber sufrido ataques de malware, y el 60 % reconoce
haber sufrido ataques de Phishing. La mayoría de compañías
no tiene soluciones de protección integral fuera del perímetro.
El usuario, el
eslabón más débil
La sociedad actual en la que cualquier persona dispone de dispositivos
electrónicos con los que realizar sus gestiones con la banca de manera cómoda
y rápida ha provocado un cambio en el paradigma de la seguridad
WebFraud Defense 1

Paper
Overview
A recent investigation taking place at buguroo Labs throughout the last
month gives us surprising insights into the latest Dridex campaigns. In
this article, we are not going to cover information related to how Dridex
works, how it is spread or which sophisticated mechanisms are used in
order to avoid detection and mitigation from the “good guys.”
We are going to show that something is changing in how the Dridex
infrastructure is being used. Suddenly and surprisingly, this ultrasophisticated
malware, which is targeting the most important companies
around the world and turning their security upside down, also has its own
code vulnerabilities. These vulnerabilities allow us to analyze impact of
the new Dridex campaigns from a different point of view, based on the
data it has stolen, not just its detection ratio.
Key Findings
• The Dridex infrastructure is not invulnerable. Some of the gate
URLs that are part of the 220 subnet can be exploited. Ultrasophisticated
malware has crude vulnerabilities.
• Analysis shows Dridex’s latest campaign has added new
targets on its compromising workflow. It is built to steal
credit card information using an Automatic Transfer System
(ATS) mechanism. From compromising users’ credentials
to hijacking end-users’ sessions in order to transfer money
directly to fraudulent mule accounts, Dridex covers a lot of
options to compromise victims’ data.
• In just this one subnet campaign, Dridex’s panel has
compromised data from more than 100 countries and has
credit card data affecting more than 900 entities. It is much
more than we expected and shows a worrying increase of the
malware’s scope.
• Despite 70 percent of the stolen credit cards recovered being
associated with English-speaking issuing organizations,
around 85 percent of entities affected are located in non-
English-speaking countries. The number of victims in the
Middle East, Africa and Latin America is increasing widely, so
Dridex can be considered a global threat.
buguroo 2

Paper
• During one 10-week period, attackers are estimated to
have launched multiple campaigns with the 220 subnet,
potentially compromising more than 1 million credit cards
with approximately $100 million in estimated financial losses.
• Dridex infrastructure is being used to distribute Locky
ransomware.
Introduction
In January 2016, we detected some alerts from a customer that has
deployed our endpoint protection mechanism, bugFraud Defense. Among
those alerts, we found a victim affected by a new malware that seems
to be an evolution of Dridex’s conventional campaigns. After analyzing
that sample and probing how the malware was using its infrastructure,
webinject revealed a vulnerability on a Dridex gate URL.
With the information obtained, buguroo was able to analyze and calculate
the scope of one of Dridex’s new campaigns. By carefully evaluating how
the cybercrime is organized and how Dridex is distributed by massive
spam campaigns, we were able to estimate how much this attack could
cost financial entities.
Webinject Static
Analysis
Our bugFraud Defense solution gave us the entire JavaScript that was
running on our financial entity victim, and that allowed us to analyze
deeply what the attack consisted of. In this case, the webinject included
in the victim’s browser was quite similar to any other from the same
malware campaign on the Internet. It has a script that invokes a remote
server in order to download the final JavaScript that is going to modify
the legitimate website content when the victim is navigating through it.
buguroo 3

Paper
This mechanism is known as an Automatic Transfer System (ATS). The
use of this mechanism allows attackers to have a service based on the
creation and maintenance of updated, personalized webinjects for
every target entity. So, the attack infrastructure is more fragmented,
and therefore, its mitigation is increasingly difficult. The development
highlights the Malware-as-a-Service concept.
However, improving the uptime or “realive” of the attacks is not the main
benefit of these mechanisms. The main benefit is based on advanced
functionalities, like the creation of injections interacting with post-login
pages. The victim cannot notice the infection or the damage it is causing,
and in fact, tends to unconsciously interact in favor of the attacker. The
samples used in those developments are shown below to provide a better
understanding of the performance:
buguroo 4

Paper
During our analysis period, we were able to detect three different ATS
Panels, which were enabled with Dridex malware infrastructure behavior.
Gate URL
Detected time
https://XXXXXXXol.name/adm/gate/ 27/01/2016
https://XXXXXXXna.com/facebookapi/gate/ 29/02/2016
https://smXXXXXXXXXX.com/facebookapi/gate/ 09/03/2016
Source Code
De-obfuscation
After downloading the Javascript’s source code, we found that it was an
obfuscated code, so we were requested to de-obfuscate and clean it in
order to make the data more readable. We used some static and dynamic
methodologies for this purpose.
O
B
F
U
S
C
A
T
E
D
D
E
O
B
F
U
S
C
A
T
E
D
buguroo 5

Paper
Interesting Variables
During our analysis we found different code variables that helped
us understand the final purpose of this JavaScript: to steal banking
credentials. The most important variables are listed below:
• gateURL: URL path related to the gate. It is the drop zone where
the Javascript sends compromised data, and it is also used
for recovering necessary data for the malware functionality. (
https://*****.***/adm/gate/)
• adminka_path: URL path related to the command and control
panel. It is the place where the botnet administrator can log in
to review the data(https://*****.***/adm/)
• bank_id, bank_folder_name: Affected entity
• account_id: stolen account ID
• transfer_info, all_transfers_info: All the information related to
account transfers
• mob_info: Mobile-related info. It could be used for bypassing
second-layer authentication
• login_node, pass_node: User credentials
Variable initialization
buguroo 6

Paper
Interesting Functions
We can confirm, after analyzing all of the code, that this was done by
professional developers as it contains more than 8,000 code lines,
including more than 100 functions with specific purposes. Some of the
features that are included in this extensive code can:
• Modify HTML content and show it to the end-user
• Parse and validate user credentials
• Connect with the Gate server
• Check different protection mechanism deployed by each
entity
• Manage and follow Bot workflow in an easy way
Examples of functions
buguroo 7

Paper
Webinject Behavior
Analysis
This campaign’s webinject is able to interact with the financial entity
hijacking the victim’s browser. The workflow this JS uses is as follows:
1. First, it initializes and replaces the variables related to
the Gate URL and the C&C URL; both are important in the
subsequent communication processes.
2. Secondly, the JS checks if the victim is browsing the targeted
entity login page.
3. If so, the JS modifies the HTML in order to steal the user’s
credentials.
4. If not, the JS shows an HTML file to keep the user waiting
while it checks if the victim is on the Main Page or on the
Account Details Page.
a. Main Page behavior: The JS steals the account balance
and holder name. It also logs internal status and account
number. In addition, it does some checks in order to abort
or continue the execution workflow.
buguroo 8

Paper
b. Account Details Page behavior: At the beginning, JS parses
the website looking for personal information. Depending on
the user status, the JS is also able to show an HTML form to
request the victims’ personal data or to request their credit
card data. All the information gathered is sent to the gate
URL previously configured.
5. Check if the compromised data is fake or not. JS is able to
verify credit card numbers with the Luhn algorithm, etc.
buguroo 9

Paper
Recovering
Compromised Data from
the C&C Panel
After research through our first JS detection, we found where the C&C login
panel was hosted. It appears like the image below.
Using this information in addition to the information obtained from our
JavaScript analysis and searching the Intel Big Data from buguroo Labs,
we noticed some coincidences between this panel and others we already
had detected in the past.
Looking deeply into the panel responses, we found that this panel version
was vulnerable, and we were able to recover part of the compromised
information.
Discovering the
Vulnerability
Testing how the panel responded to some of our requests and matching
this information with the JavaScript code information, we found that
there are a lot of variables that are not under any validation mechanism.
This way, we were allowed to recover most of the victims’ data.
buguroo 10

Paper
Whitepaper
Server response with internal data
Analyzing Recovered
Data
Recovered information has a specific structure that matches perfectly
with the content that is requested by the attackers’ HTML.
• Account.
• Holder name.
• Last login date.
• Card number.
o Card country.
o Card bank.
o Card type.
After analyzing the data in its entirety, we came to the following
conclusions:
1. There is an increase in the victims around the world. European
and English-speaking countries are still the main targets,
but it is significant to find credit cards related to African and
Latin American companies.
buguroo 11

Paper
2. After processing all the data contained in the attackers’ Web
panel, we were able to recover around 16,000 unique credit
card records. While this may not seem like a huge amount,
we need to consider this is just one part of just one Dridex
campaign. As it is said in the “Dridex: Tidal waves of spam
pushing dangerous financial Trojan” report from Symantec,
during the same period of time (10 weeks), 145 different
campaigns of Dridex were found, and nearly 40 percent of them
were related to the 220 subnet. This approximation allows us
to estimate the global cost of the Dridex 220 subnet at around
$20 million in profits, in just a 10-week period---supposing one
out of 10 credit cards work and can be used by the attackers
and considering $500 of average stolen money per account.
buguroo 12

Paper
Conclusions
It is quite rare to find an ultra-sophisticated malware like Dridex using
foreign infrastructure that can be compromised easily, allowing anyone to
get the data that malware has exfiltrated. This could support a hypothesis
that after October’s takedown, Dridex malware is being used for different
cyberattackers’ groups that are not necessarily the ones who developed
the first Dridex versions.
buguroo 13

Paper
It also supports a pattern we have seen in other examples like Dyre— how
cyberattacker groups evolve their strategies as their product lifecycle
matures. First, they create a new malware and use it themselves. After
some time, they sell it to other groups in the black markets. And eventually,
these others share or leak the code to the underground community.
This raises interesting possibilities. Is Dridex now being used by less
professional groups, as evidenced by the exceedingly rare vulnerability
of a C&C server to a basic attack? Is Dridex going to be the next massively
accessible malware like Zeus was in the past?
At the moment, two things are clear. The Dridex infrastructure is ramping
up its targeting of credit card and financial data, and it is being used to
massively distribute a new threat: Locky ransomware.
About buguroo
buguroo is a company of bug gurus redefining cybersecurity with a series
of recently announced next-generation IT security platforms. A U.S. startup
and spinoff of Deloitte’s European Security Operations Center (SOC), the
company introduced bugThreats, a threat intelligence platform (TIP)
that uses aggressive techniques to hack the hackers and mine relevant
threat data from the Dark Web and the surface Web to deliver actionable
intelligence.
Authors:
• David García Muñoz
• José Carlos Corrales Casas
Illustrations:
• Elisabet Fernández Cerro
buguroo 14

Paper
buguroo 15

info@buguroo.com
www.buguroo.com