Chasing cybercrime: network insights of Dyre and Dridex trojan bankers

Jump to navigation Jump to search

(Publication) Google search: [1]

Chasing cybercrime: network insights of Dyre and Dridex trojan bankers
Botnet Dyre, Dridex
Botnet/malware group
Exploit kits
Distribution vector
Operation/Working group
Date 2015 / 2015-04-22
Editor/Conference Blueliv
Link (Archive copy)
Author Blueliv
Type Tech report


Trojan Bankers are a family of botnets that specialize in stealing information related to the financial sector and user data in order to sell it in underground marketplaces, some of them, also perform wire transfers using these credentials or by taking control of the infected computer.

Due to the difficulties posed by the different security firms, or by the competition that exists between different products, which nourishes it, the malware industry is always evolving and improving its products.

In the current landscape of Banking Trojans, Dyre and Dridex are the most nefarious ones due to the amount of infections that they have racked up since they were discovered, and to the mechanisms that make them more resilient.

From Blueliv, we launched an intensive investigation to find out how these botnets operate, we were able to analyze the networking protocol for both Dyre and Dridex, and to infiltrate the botnet, gathering a lot of information about how they operate, and who do they target.

reportBecause there isn’t a lot of information on how these botnets operate from a networking point of view, we want to share our findings with you, so today we present you the results of our labor.

Besides introducing you to both families, we will also explain with technical details the networking protocol of the botnets, and, thanks to the successful infiltration of both Dyre and Dridex network, we will share with you a lot of interesting data about their volume, campaigns and targeted countries.


 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2015BFR2254,
   editor = {Blueliv},
   author = {Blueliv},
   title = {Chasing cybercrime: network insights of Dyre and Dridex trojan bankers},
   date = {22},
   month = Apr,
   year = {2015},
   howpublished = {\url{}},