Joint efforts by law-enforcement agencies in the US and UK have crippled an eastern European gang behind the bank credential-stealing botnet known as Dridex.
On Tuesday, the FBI announced charges against Andrey Ghinkul, the alleged administrator of the Dridex botnet - also known as Bugat or Cridex - and revealed that it is seeking his extradition from Cyprus, where he was arrested in late August.
Dridex malware has been around for several years and is known for largely targeting Windows machines at companies in the UK and US, usually through phishing email with malware-laced Word attachments.
The FBI estimates US businesses have lost $10m to Dridex and has accused Ghinkul and fellow gang members of transferring over $3.5m during two transactions in 2012 from Penneco Oil's US bank account to a bank account in Russia.
The two law-enforcement agencies have conducted a coordinated technical takedown of the Dridex botnet, using a technique known as 'sink-holing' to commandeer the network of infected machines.
As a result, although machines running Dridex remain infected, they will now be communicating with servers under the control of the FBI and NCA, as well as technical partners, which include Dell SecureWorks and anti-botnet group Shadowserver Foundation.
Brett Stone-Gross of Dell's SecureWorks said the malware was used to steal credentials, certificates, cookies, and other sensitive information from a compromised system, primarily to commit Automated Clearing House (ACH) and wire fraud.
Taking its lead from the Zeus GameOver botnet, Dridex uses a peer-to-peer, or P2P, design to hide back-end activities and frustrate takedown attempts.
It also cordoned itself off into sub-botnets, providing limited access to affiliates in different regions who customise banking fraud pages, or 'web injects', to match banking brands in each market. Dell has so far identified 13 sub-botnets.
The botnet had web injects for 27 nations, including the US, Canada, UK, Ireland, France, Switzerland, Germany, Norway, Austria, Netherlands, Italy, Belgium, Croatia, Bulgaria, and Romania, United Arab Emirates, Qatar, Israel, Indonesia, Singapore, Malaysia, Hong Kong, China, India, Vietnam, Australia, and New Zealand.
Stone-Gross said the takedown group involved "poisoning each sub-botnet's P2P network and redirecting infected systems to a sinkhole".
One of the Dridex's sub-botnets contained approximately 4,000 active bots, consisting mostly of infected machines in Western Europe, especially the UK and France.
Dutch security firm Fox-IT earlier this year connected the dots between Dridex members and a group known as the Business Club, including key members such as Evgeniy 'Slavik' Bogachev - the alleged mastermind of Zeus GameOver - who was indicted by the FBI in 2014 and has a $3m FBI bounty on his head.
According to Frank Ruiz, a senior member of Fox-IT's InTELL team, the Dridex gang referred to themselves as EvillCorp, which had strong ties to Slavik, and used components of Gameover ZeuS technology parts to build Dridex capabilities. The Dridex gang was under pressure to monetise the technology after the FBI dismantled Zeus GameOver in 2014.
"They were engaged with numerous other criminal groups and with other operations like credit-card theft. Some of their breaches required quite some skills and diligence. It's a relatively large group, so we're eager to learn what effect the indictments will have over the coming weeks and months," said Ruiz.
Other organisations involved in the takedown include Department of Homeland Security's US Computer Emergency Readiness Team (US-CERT), the Europol's EC3, German Bundeskriminalamt (BKA), Fox-IT, S21sec, abuse.ch, Spamhaus, and the Moldovan General Inspectorate of Police Centre for Combating Cyber Crime, the Prosecutor General's Office Cyber Crimes Unit, and the Ministry of Interior Forensics Unit.