Dridex Resurfaces to Open the Door to Credential Theft

December 17, 2019
Marcus Hartwig
Director, Product Marketing
Dridex Resurfaces to Open the Door to Credential Theft

In early December, the United States indicted Maksim Yakubets, a.k.a. Aqua, for allegedly the most prominent cybertheft campaign of the last decade. In addition, the U.S. Justice Department has offered a $5 million bounty for information leading to his arrest and conviction.

Maksim, reportedly the founding member of a group known as Evil Corp, has allegedly been responsible for the theft of thousands of bank account credentials from victims across multiple countries. By leveraging malware known as Dridex—also called Cridex or Bugat—Evil Corp reportedly managed to siphon tens of millions of dollars from unwitting victims. The FBI estimates that Dridex resulted in losses of $100 million or more across hundreds of banks.

The attack was as elegant as it was simple. Evil Corp would allegedly convince victims to click on a malicious link in a phishing email to download Dridex. Once installed, the malware would use a keylogger to grab passwords or create fake banking pages to trick someone into voluntarily entering their credentials. The phishing messages were often well crafted, using a combination of legitimate business names and domains, as well as the correct professional terminology.

Armed with bank account credentials, Evil Corp would reportedly arrange for electronic funds transfers from the victims’ bank accounts to a network of so-called money mules, who would then transfer the funds back to Evil Corp.

Of particular note is how Evil Corp continuously improves the Dridex malware, such as switching from a centralized command-and-control center to peer-to-peer botnets to make its activities harder to trace.

The National Security Agency (NSA) recently published its Top Ten Cybersecurity Mitigation Strategies. Aligned with the NIST cybersecurity framework, the strategies offer a risk-based approach to mitigating exploitation techniques used by advance persistent threat (APT) actors such as Dridex tactics, techniques and procedures (TTPs).

Of particular note are the following two recommendations:

  • Defend privileges and accounts. Assign privileges based on risk exposure and as required to maintain operations. Privileged accounts and services must be controlled because threat actors continue to target administrator credentials to access high-value assets and move laterally through the network.
  • Continuously hunt for network intrusions. Take proactive steps to detect, contain and remove any malicious presence within the network. Enterprise organizations should assume that a compromise has taken place and use dedicated teams to continuously seek out, contain and remove threat actors within the network.

Establishing proactive steps will transition the organization beyond basic detection methods, enabling real-time threat detection and remediation using a continuous monitoring and mitigation strategy.

We recently added Privileged Access Analytics to the Cognito platform from Vectra. PAA consists of AI-based algorithms that give a security operations center (SOC) team high-fidelity detections of attacker behaviors involving privileged accounts that are leveraged in unusual and potentially malicious behaviors. In effect, Vectra learns the patterns of your user accounts and intelligently alerts when credentials are misused like in phishing attacks.

PAA enables SOC teams to monitor and defend against these types of attacks. In addition to our extensive models that detect command-and-control channels, this make the Cognito platform a powerful tool to combat evolving malware attacks against enterprises.

For more information about threat behaviors and privilege-based attacks or to see the Cognito platform in action, please visit vectra.ai/demo.