The Dridex Swiss Army Knife: Big Data Dissolves the APT & Crime Grey Area

The Dridex Swiss Army Knife: Big Data Dissolves the APT & Crime Grey Area

#RSAC SESSION ID: HT-W10 The Dridex Swiss Army knife: big data dissolves the APT & crime grey area Eward Driehuis Director of product Fox-IT @brakendelama #RSAC Understanding criminal evolution Global visibility Collaboration Investigations Feeds #RSAC May 2014 #RSAC Rewind 9 years… 2006 Slavik launches ZeuS 2009 SpyEye & Carberp compete for market share 2010 Slavik creates ZeuS2 Hands over ZeuS support to the SpyEye guy 2011 ZeuS2 code leaks 2012 Gribodemon & Carberp members arrested In 2009 Slavik had joined JabberZeuS And Evolved to GameOver / P2PZeuS #RSAC The Businessclub Legacy Businesslike Financial guy perfected money laundry Targeted commercial banking Perfected the Hybrid attack / Tokengrabber Perfected ransomware / Cryptolocker Did some “light espionage” #RSAC Business club after Slavik Dyre Businessclub (GameOver ZeuS gang until May 2014) EvilCorp (Dridex crew) #RSAC Dridex: EvilCorp’s Swiss Army knife #RSAC EvilCorp network expands Core businessclub members in EvilCorp & Dridex operators Leveraging existing money laundry networks Branching out: Dridex operators do ransomware, RATs, Credit Cards, high value targets Ties with Anunak / Carbanak #RSAC Dridex Malware Based on Bugat/Cridex/Feodo, since 2014 Speading: scattergun (spam / attachments) Modular architecture P2P, with 3 operating modes: Token Grabber, data mining, inter node comm Using businessclub technology Loader dropping many different malwares #RSAC #RSAC EvilCorp: Dridex Targets 2015 -2017 #RSAC EvilCorp: ”Gucci” accounts Harvesting data from victims Big data techniques to find high value accounts Selected targets moved into other silo’s Or to specialist operator groups #RSAC Dridex botnets & back-ends (Snapshot May 2016) #RSAC EvilCorp organization #RSAC RAT attacks All targets are pre-selected Machines deep inside organizations Installer drops RAT and logs details Targeting PKI smartcard based banking The attackers patiently wait to execute a few or a single high value fraud #RSAC Targeted attacks, resembling APT bahavior Intrusion behavior Metasploit, etc… Gathering intel first Lateral movement Sleeper cell, biding their time #RSAC Not the only gang in town TheTrick Dridex Operator Groups Multiple Operators using ZeuS variants #RSAC Criminals think like businesses 2006 2011 2016 +Commercial + SME Retail Banks + Individuals Banks + Enterprise Invest Return Invest Return Invest Return #RSAC Moving away from end-point 2006 2011 2016 Webinjects: Hybrid: RAT: Automate Webinject / fakes No browser manipulation complete steal creds & auth Operator looks workflow Operator does over shoulder the rest #RSAC Evolving their money laundry networks 2006 2011 2016 $ 1,000,000 $ 1,000,000 $ 81,000,000 #RSAC The game has changed 2006 2011 2016 Victims Tech Level Money Laundry Capability #RSAC Risk for criminals decreasing Targeting enterprise with the same MO Lateral movement / APT techniques Sleeper cells [email protected] @brakendelama.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    22 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us