The Dridex Swiss Army Knife: Big Data Dissolves the APT & Crime Grey Area
Total Page:16
File Type:pdf, Size:1020Kb
#RSAC SESSION ID: HT-W10 The Dridex Swiss Army knife: big data dissolves the APT & crime grey area Eward Driehuis Director of product Fox-IT @brakendelama #RSAC Understanding criminal evolution Global visibility Collaboration Investigations Feeds #RSAC May 2014 #RSAC Rewind 9 years… 2006 Slavik launches ZeuS 2009 SpyEye & Carberp compete for market share 2010 Slavik creates ZeuS2 Hands over ZeuS support to the SpyEye guy 2011 ZeuS2 code leaks 2012 Gribodemon & Carberp members arrested In 2009 Slavik had joined JabberZeuS And Evolved to GameOver / P2PZeuS #RSAC The Businessclub Legacy Businesslike Financial guy perfected money laundry Targeted commercial banking Perfected the Hybrid attack / Tokengrabber Perfected ransomware / Cryptolocker Did some “light espionage” #RSAC Business club after Slavik Dyre Businessclub (GameOver ZeuS gang until May 2014) EvilCorp (Dridex crew) #RSAC Dridex: EvilCorp’s Swiss Army knife #RSAC EvilCorp network expands Core businessclub members in EvilCorp & Dridex operators Leveraging existing money laundry networks Branching out: Dridex operators do ransomware, RATs, Credit Cards, high value targets Ties with Anunak / Carbanak #RSAC Dridex Malware Based on Bugat/Cridex/Feodo, since 2014 Speading: scattergun (spam / attachments) Modular architecture P2P, with 3 operating modes: Token Grabber, data mining, inter node comm Using businessclub technology Loader dropping many different malwares #RSAC #RSAC EvilCorp: Dridex Targets 2015 -2017 #RSAC EvilCorp: ”Gucci” accounts Harvesting data from victims Big data techniques to find high value accounts Selected targets moved into other silo’s Or to specialist operator groups #RSAC Dridex botnets & back-ends (Snapshot May 2016) #RSAC EvilCorp organization #RSAC RAT attacks All targets are pre-selected Machines deep inside organizations Installer drops RAT and logs details Targeting PKI smartcard based banking The attackers patiently wait to execute a few or a single high value fraud #RSAC Targeted attacks, resembling APT bahavior Intrusion behavior Metasploit, etc… Gathering intel first Lateral movement Sleeper cell, biding their time #RSAC Not the only gang in town TheTrick Dridex Operator Groups Multiple Operators using ZeuS variants #RSAC Criminals think like businesses 2006 2011 2016 +Commercial + SME Retail Banks + Individuals Banks + Enterprise Invest Return Invest Return Invest Return #RSAC Moving away from end-point 2006 2011 2016 Webinjects: Hybrid: RAT: Automate Webinject / fakes No browser manipulation complete steal creds & auth Operator looks workflow Operator does over shoulder the rest #RSAC Evolving their money laundry networks 2006 2011 2016 $ 1,000,000 $ 1,000,000 $ 81,000,000 #RSAC The game has changed 2006 2011 2016 Victims Tech Level Money Laundry Capability #RSAC Risk for criminals decreasing Targeting enterprise with the same MO Lateral movement / APT techniques Sleeper cells [email protected] @brakendelama.