Sometimes it is sweet revenge when a researcher can get into a malware’s innards and figure out how it operates.
That is just what security researchers from buguroo did as they got into one of Dridex’s admin panels and hacked its backend, retrieved user data and kept an eye on its activity.
Because Dridex operations carry out on such a massive scale, the attackers behind this huge botnet use multiple smaller infrastructures, which security researchers call subnets. This fractured architecture makes it harder to detect Dridex’s operations for security firms, and also harder to sinkhole the infrastructure.
Researchers did find the admin panel of a Dridex section previously known as Subnet 220. Luck had it that this subnet was running an older version of the Dridex backend, in which researchers found some weaknesses.
This vulnerability allowed researchers to crack open Subnet 220’s admin panel and take a look inside. By recovering the data found inside this backend, buguroo researchers were able to determine the scale at which these crooks operate, along with discovering new techniques used in more recent attacks.
Researchers said Dridex attackers operate in short-burst campaigns, and launch multiple attacks at various intervals. On average, attackers collect 16,000 credit card numbers per campaign, from which they steal around $500 from each victim.
Since banks detect and block these illicit transactions in 90 percent of cases, this means that crooks pocket around $800,000 per each campaign.