The Dridex operation is segregated into major botnets that use a different command and control (C2) infrastructure, but share the same conceptual network design and architecture. Each major botnet is then segregated into small logical botnets that share the same C2 infrastructure. Each botnet is identified by a botnet ID.
Botnet segregation is employed because of multiple reasons, some are:
Accountability for each Dridex customer;
Specify targets per botnet;
Resilience of the overall C2 infrastructure;
The ability to aid the logistical effort to extract information from infected systems;
The ability to differentiate mule networks used to extract money from stolen banking accounts.
Back in 2015, the Dridex ecosystem was constituted by nine botnets (120, 122, 123, 125, 200, 219, 220 and 320). Botnets 120, 200 and 220 were the most active, with predominant infections in Europe, North America and Asia.
In 2016, Dridex operators have removed some of these botnets and created new ones, expanding the geographic targets of their operation. As of May 2016, there were twelve botnets (120, 220, 301, 121, 122, 123, 125, 222, 223, 225, 302 and 322). Between June and August nine new botnets appeared - six of them targeting Switzerland (124, 38923, 1024, 144, 1124, 1234) and three targeting several other countries worldwide (444, 228 and 1044). Between September and October, three more botnets appeared (344, 333 and 404).
The Christmas season is a busy period for most botnet operators, and this year it brought seven more botnets to the Dridex ecosystem (2020, 2302, 3302, 48048, 5302, 420, 5502). One distribution campaign was observed for each of these botnets. Currently, there are 31 known dridex botnets, although not all are active.
Dridex distribution timeline between November and December
The following table lists each botnet, their respective dates of appearance, and geographic targets:
This list features botnets known since October 2015, some of the botnets listed are older.
Master refers to the master botnet. Dridex botnets are normally logical segregations of a master botnet.
Targets are based on the configuration for each botnet.
Botnets without targets were identified, but not fully analyzed (no config files).They are listed here for reference.
Last Seen refers to the last date a distribution campaign was observed. It does not refer to the last date the botnet was seen alive.
Listed below are the latest samples (droppers) distributed for each botnet: