## Dreambot Business overview 2019


-----

###### Benoît ANCEL

 @benkow_


###### Peter KRUSE

 @peterkruse


-----

###### - Crime as a service

 - Based on Gozi2 (ISFB) + TOR + Bootkit

 - Around since 2015

 - ~ 450 000 bots (Oct-Dec 2018)

 - ~ 250 000 bots (Jan-March 18)

 - JP/DE/BG/PL/IT/US/CA/ES/AU/IN

 - Business model:

 - You rent access to Dreambot

 - You obtain a non packed binary + the
 source code of the panel.


-----

## Dreambot

###### Under the hood


-----

###### - 3 different ways to communicate:

 - Hard coded domains (BrazzzzersFF)

 - DGA (BrazzzzersFF)

 - Onion website

 - Gozi features:

 - Webinjects

 - Keylogger

 - FormGrabber

 - email grabber

 - Screenshots

 - Socks


-----

###### - 2 kinds of C&C:

 - Dreambot client’s C&C

 - “Master” C&C

 - “Master” is used for:

 - Bots storage

 - Banks frauds

 - Targeted attacks


-----

###### - Servers used for a defined period of time (subscription based)

 - The client can:

 - Distribute Dreambot code

 - Access harvested drop data

 - Configure own webinjects

 - Configure a stage 2

 - 3 different panels are available

 ~ 15 different customers between 2018 and yesterday


-----

###### Panel 1


-----

###### Panel 2


-----

###### Panel 3


-----

-----

-----

-----

-----

## Dreambot

###### Customer use case


-----

#### y

###### - The example:

 The German customer:

 - New client since October 2018

 - ~ 210 000 infections in Germany/US/CA

 (October 18 – March 19)

 (EK and targeted emails)

 - This client (known as Bagsu) is only interested in baning fraud and targeting 725 unique banks in Germany


-----

#### y


-----

#### y


-----

## Dreambot

###### “Master” C&C


-----

###### - “Master” C&C

 - Used to store bots after the expiration of a custumer subscription periode

 - Likely controlled by the Dreambot operators

 - Involved in targeted attacks

 - Involved in frauds in BG in 2018-2019


-----

-----

-----

-----

-----

-----

-----

-----

## Conclusion


-----

###### - Gozi still going strong and continuously being improved

 - Crime as a services getting trendy

 - Vector used by APT groups

 - Attribution getting harder

 - Gozi will never die despite of takedowns

 - Thanks to:

 Kafeine

 Maciej Kotowicz


-----

### One more thing….


-----

-----

# Let’s Talk?

##### pkr@csis.dk
###### PGP-ID: 0x715FB4BD


-----