1. Home
  2. Software
  3. Dridex

Dridex

Dridex is a prolific banking Trojan that first appeared in 2014. By December 2019, the US Treasury estimated Dridex had infected computers in hundreds of banks and financial institutions in over 40 countries, leading to more than $100 million in theft. Dridex was created from the source code of the Bugat banking Trojan (also known as Cridex).[1][2][3]

ID: S0384
Associated Software: Bugat v5
Type: MALWARE
Platforms: Windows
Contributors: Daniyal Naeem, BT Security; Jennifer Kim Roman, CrowdStrike
Version: 2.1
Created: 30 May 2019
Last Modified: 03 August 2023

Associated Software Descriptions

Name Description
Bugat v5

[1]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1090 代理

Dridex contains a backconnect module for tunneling network traffic through a victim's computer. Infected computers become part of a P2P botnet that can relay C2 traffic to other infected peers.[1][4]

.003 Multi-hop Proxy

Dridex can use multiple layers of proxy servers to hide terminal nodes in its infrastructure.[4]
Enterprise T1573 .001 加密通道: Symmetric Cryptography

Dridex has encrypted traffic with RC4.[2]
.002 加密通道: Asymmetric Cryptography

Dridex has encrypted traffic with RSA.[2]
Enterprise T1574 .002 劫持执行流: DLL Side-Loading

Dridex can abuse legitimate Windows executables to side-load malicious DLL files.[5]
Enterprise T1071 .001 应用层协议: Web Protocols

Dridex has used POST requests and HTTPS for C2 communications.[2][4]
Enterprise T1106 本机API

Dridex has used the OutputDebugStringW function to avoid malware analysis as part of its anti-debugging technique.[4]

Enterprise T1185 浏览器会话劫持

Dridex can perform browser attacks via web injects to steal information such as credentials, certificates, and cookies.[1]
Enterprise T1027 混淆文件或信息

Dridex's strings are obfuscated using RC4.[4]

Enterprise T1204 .002 用户执行: Malicious File

Dridex has relied upon users clicking on a malicious attachment delivered through spearphishing.[4]
Enterprise T1218 .010 系统二进制代理执行: Regsvr32

Dridex can use regsvr32.exe to initiate malicious code.[5]
Enterprise T1082 系统信息发现

Dridex has collected the computer name and OS architecture information from the system.[4]
Enterprise T1518 软件发现

Dridex has collected a list of installed software on the system.[4]
Enterprise T1219 远程访问软件

Dridex contains a module for VNC.[1]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

Dridex can maintain persistence via the creation of scheduled tasks within system directories such as windows\system32\, windows\syswow64, winnt\system32, and winnt\syswow64.[5]

Groups That Use This Software

ID Name References
G0092 TA505

[6][7][8]
G0119 Indrik Spider

[9][10][3]

References

  1. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, October 13). Dridex (Bugat v5) Botnet Takeover Operation. Retrieved May 31, 2019.
  2. Slepogin, N. (2017, May 25). Dridex: A History of Evolution. Retrieved May 31, 2019.
  3. U.S. Department of Treasury. (2019, December 5). Treasury Sanctions Evil Corp, the Russia-Based Cybercriminal Group Behind Dridex Malware. Retrieved September 15, 2021.
  4. Check Point Research. (2021, January 4). Stopping Serial Killer: Catching the Next Strike. Retrieved September 7, 2021.
  5. Red Canary. (2021, February 9). Dridex - Red Canary Threat Detection Report. Retrieved August 3, 2023.
  1. Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019.
  2. Proofpoint Staff. (2018, June 8). TA505 shifts with the times. Retrieved May 28, 2019.
  3. Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020.
  4. Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021.
  5. Podlosky, A., Feeley, B. (2021, March 17). INDRIK SPIDER Supersedes WastedLocker with Hades Ransomware to Circumvent OFAC Sanctions. Retrieved September 15, 2021.