Featured Post

News Scan for Jun 29, 2020 | CIDRAP - CIDRAP

Image
News Scan for Jun 29, 2020 | CIDRAP - CIDRAPNews Scan for Jun 29, 2020 | CIDRAP - CIDRAPViruses: Breaking new grounds in research | Results Pack | CORDIS | European Commission - Cordis NewsHelping Others Make Healthy Choices - Texas A&M Today - Texas A&M University Today"How Contagion Works" author Paolo Giordano on the environmental, social and political factors impacting coronavirus and future threats - Sydney Morning HeraldPandemic Outbreaks in the Past Decade: A Research Overview - ResearchAndMarkets.com - Business WireNews Scan for Jun 29, 2020 | CIDRAP - CIDRAPPosted: 29 Jun 2020 12:00 AM PDT Ebola infects 4 more in DRC's Equateur province outbreakOfficials have reported 4 more confirmed cases in the Democratic Republic of the Congo (DRC) Equateur province Ebola outbreak, raising the total to 28, the World Health Organization (WHO) African regional office said today on Twitter.So far, no details on the latest cases in the DRC's 11th Ebola outbreak are no…

Dreambot malware operation goes silent - ZDNet

Dreambot malware operation goes silent - ZDNet


Dreambot malware operation goes silent - ZDNet

Posted: 01 May 2020 12:00 AM PDT

Dreambot
Image: Jon Tyson

The Dreambot malware botnet appears to have gone silent and possibly shut down, according to a report published today by the CSIS Security Group, a cyber-security firm based in Copenhagen, Denmark.

The company is reporting that the Dreambot's backend servers have gone down in March; about the same time when the cybersecurity community also stopped seeing new Dreambot samples distributed in the wild.

"The lack of new features? The multiplication of new Gozi variants? The huge rise of Zloader? COVID-19? We can't be sure exactly what was the cause of death, but more and more indicators point at the end of Dreambot," said Benoit Ancel, malware analyst at the CSIS Security Group.

What was Dreambot?

The malware's apparent death puts an end to a six-year-old "career" on the cybercrime landscape.

Dreambot was first spotted in 2014. It was created on top of the leaked source code of the older Gozi ISFB banking trojan, one of the most reused pieces of malware today.

Just like any Gozi-based trojan, Dreambot's primary function was to inject malicious content inside browsers and facilitate the theft of banking credentials and the execution of unauthorized financial transactions.

Initial versions contained very few features, but the malware evolved into a more complex strain as time went by.

With time, Dreambot received new features, such as Tor-hosted command and control servers, a keylogging capability, the ability to steal browser cookies and data from email clients, a screenshoting feature, the ability to record a victim's screen, a bootkit module, and a VNC remote access feature -- just to name the most important.

dreambot-ccpanel.png

Typical Dreambot control panel

Image: Benoit Ancel, CSIS Group

Furthermore, Dreambot also evolved from a private malware botnet into what's called a Cybercrime-as-a-Service (CaaS).

As a CaaS, the Dreambot creators would advertise access to their botnet on hacking and malware forums. Other crooks could buy access to a part of Dreambot's infrastructure and a version of the Dreambot malware, which they'd be responsible for distributing to victims. Dreambot "customers" would infect victims, steal funds, and pay the Dreambot gang a weekly, momthly, or yearly fee.

More than one million infections in 2019 alone

CSIS says this model appears to have been successful. "We counted more than a million [Dreambot] infections worldwide just for 2019," Ancel said.

However, the CSIS researcher also says that in recent years, Dreambot evolved from being just a banking trojan. More specifically, it evolved from a specialized banking trojan into a generic trojan.

Criminal gangs would rent access to the Dreambot cybercrime machine, but not use it to steal money from bank accounts.

Instead, they'd infect a large number of computers, and then inspect each target, looking for specific computers. For example, CSIS said it has seen criminal groups use Dreambot to infect systems and look for computers running Point-of-Sale software, to deploy ransomware on corporate networks, to orchestrate BEC fraud, or order goods from hijacked e-shopping accounts (eBay, Amazon, etc.).

In this case, Dreambot's evolution from a highly-specialized banking trojan into a generic "malware loader" mirrors what we've seen happening to Dridex, TrickBot, or Emotet -- other former banking trojans that have evolved into services that rent access to hacked computers.

At the time of writing, Dreambot operators have not been publicly identified and remain at large. The reason for this entire cybercrime platform's current disappearance also remains a mystery.

With the operators at large, Dreambot's return remains a possibility.

Comments

Popular Posts

System detected an overrun of a stack-based buffer in this application [FIX] - Windows Report

Valorant anti-cheat lead answers many questions on Reddit - Millenium US