The Dridex Swiss Army Knife: Big Data Dissolves the APT & Crime Grey Area

#RSAC

SESSION ID: HT-W10

The Dridex Swiss Army knife: big data dissolves the APT & crime grey area

Eward Driehuis Director of product Fox-IT @brakendelama #RSAC Understanding criminal evolution

Global visibility Collaboration

Investigations Feeds #RSAC

May 2014 #RSAC Rewind 9 years…

2006 Slavik launches ZeuS 2009 SpyEye & Carberp compete for market share 2010 Slavik creates ZeuS2 Hands over ZeuS support to the SpyEye guy 2011 ZeuS2 code leaks 2012 Gribodemon & Carberp members arrested

In 2009 Slavik had joined JabberZeuS And Evolved to GameOver / P2PZeuS #RSAC The Businessclub Legacy

Businesslike Financial guy perfected money laundry Targeted commercial banking Perfected the Hybrid attack / Tokengrabber Perfected ransomware / Cryptolocker Did some “light espionage” #RSAC Business club after Slavik

Dyre Businessclub (GameOver ZeuS gang until May 2014) EvilCorp (Dridex crew) #RSAC Dridex: EvilCorp’s Swiss Army knife #RSAC EvilCorp network expands

Core businessclub members in EvilCorp & Dridex operators Leveraging existing money laundry networks Branching out: Dridex operators do ransomware, RATs, Credit Cards, high value targets Ties with Anunak / Carbanak #RSAC Dridex Malware

Based on Bugat/Cridex/Feodo, since 2014 Speading: scattergun (spam / attachments) Modular architecture P2P, with 3 operating modes: Token Grabber, data mining, inter node comm Using businessclub technology Loader dropping many different malwares #RSAC #RSAC EvilCorp: Dridex Targets 2015 -2017 #RSAC EvilCorp: ”Gucci” accounts

Harvesting data from victims Big data techniques to find high value accounts Selected targets moved into other silo’s Or to specialist operator groups #RSAC Dridex botnets & back-ends

(Snapshot May 2016) #RSAC EvilCorp organization #RSAC RAT attacks

All targets are pre-selected Machines deep inside organizations Installer drops RAT and logs details Targeting PKI smartcard based banking The attackers patiently wait to execute a few or a single high value fraud #RSAC Targeted attacks, resembling APT bahavior

Intrusion behavior Metasploit, etc… Gathering intel first Lateral movement Sleeper cell, biding their time #RSAC Not the only gang in town

TheTrick Dridex Operator Groups Multiple Operators using ZeuS variants #RSAC Criminals think like businesses

2006 2011 2016

+Commercial + SME Retail Banks + Individuals Banks + Enterprise

Invest Return Invest Return Invest Return #RSAC Moving away from end-point 2006 2011 2016

Webinjects: Hybrid: RAT: Automate Webinject / fakes No browser manipulation complete steal creds & auth Operator looks workflow Operator does over shoulder the rest #RSAC Evolving their money laundry networks 2006 2011 2016

$ 1,000,000 $ 1,000,000 $ 81,000,000 #RSAC The game has changed

2006 2011 2016

Victims

Tech Level

Money Laundry Capability #RSAC Risk for criminals decreasing Targeting enterprise with the same MO Lateral movement / APT techniques Sleeper cells

[email protected] @brakendelama