Banking Botnets Evolved in 2015, Impervious to Law Enforcement Takedowns

[Exterminator]

Content source

http://news.softpedia.com/news/banking-botnets-have-evolved-in-2015-impervious-to-law-enforcement-takedowns-501107.shtml

In the past year, banking botnets continued to evolve, despite the combined efforts of law enforcement and cyber-security vendors, the Dell SecureWorks Counter Threat Unit (CTU) reports.

During 2015, security researchers and law enforcement forces from different countries collaborated to take down the Dridex and Ramnit botnets. Despite their best efforts, both botnets quickly resurfaced and continued to spread dangerous malware just a few months after.

While Ramnit was only large but never that dangerous, in the past years, Dridex has been highly efficient, managing to cause damages of around $25 million / €22.85 million.

The game of cat and mouse between authorities and banking botnets
Authorities hoped that, as they arrested one of Dridex's main operators last September, the botnet would shut down its activities soon after. The situation was not so, and after a few months of quiet, the Dridex botnet resurfaced at the start of 2016.

Something similar happened to Ramnit, which, after authorities took down in February 2015, surprisingly came back to life in December like nothing even happened.

The only successful botnet takedown recorded in 2015 is that of the Dyre banking botnet, which seems to have fallen asleep after Russian police raided the offices of 25th Floor, a Moscow film distribution company.

In any case, three new major banking botnets also surfaced in 2015: Shifu, Reactorbot, and Corebot. All made waves when they were first spotted, mainly due to never before seen features, a credit to their developers.

Despite the new arrivals, Dell also reports that botnet operators continue to abuse the Tor and I2P networks to hide their real location and that spam continued to be the criminals' favorite method of spreading the banking trojans.

Botnets shifting from banking trojans to the delivery of ransomware
But banking trojans are not the only things these banking botnets delivered this year, as Dell's CTU team also observed a clear shift towards delivering ransomware alongside their regular trojans.

Spreading ransomware requires fewer resources and is also much easier to monetize, both from infected victims and as a MaaS (Malware-as-a-Service) infrastructure, where the gangs behind these botnets are renting out bots to other gangs.

"Botnets are part of a well-organized service industry that is constantly improving and evolving," the Dell team explains. "These organized groups continually explore new ways to steal money from victims, as illustrated by the increase in ransomware and mobile malware in 2015."

You can find in-depth details regarding the 2015 activity of each major banking botnet in Dell's Banking Botnets: The Battle Continues report. Dell's analysis includes details about the activities of Dyre, Gozi (both variants, Neverquest and ISFB), Dridex (Bugat), Tinba, Ramnit, KINS, Shifu, Corebot, Reactorbot, Qadars, Zeus, IceIX, and Citadel.