Name | Dridex |
Additional Names | Bugat and Cridex |
Type of Malware | Banking Trojan, Botnet |
Location – Country of Origin | Russia |
Date of initial activity | 2014 |
Associated Groups | TA505, Indrik Spider |
Motivation | Stealing online account credentials to gain access to their financial assets |
Attack Vectors | Spam campaigns and Exploit Kits |
Targeted System | Windows, iOS |
Overview
Dridex is a Banking Trojan turned botnet, that targets the Windows platform. It is delivered by spam campaigns and Exploit Kits, and relies on WebInjects to intercept and redirect banking credentials to an attacker-controlled server. Dridex contacts a remote server, sends information about the infected system, and can also download and execute additional modules for remote control. The Dridex malware has undergone numerous updates over the past 10 years. The Russia-based group Evil Corp is allegedly responsible for Dridex.
Targets
Financial institutions and their customers, mostly from English-speaking countries.
Tools/ Techniques Used
Dridex was created from the source code of the Bugat banking Trojan (also known as Cridex). Cybercriminals often spread Dridex through phishing campaigns. The fraudulent emails, which may appear to come from an official and reputable source, prompt victims to click on embedded links or to open attached Microsoft Word or Excel files. Opening one of these files triggers an embedded, malicious macro, which initiates a download of Dridex. From there, the malware installs a keylogger, which monitors and records each keystroke typed on a computer’s keyboard. This enables the attackers to see and steal login and password information, including online banking credentials. The malware then packages and encrypts stolen data before transmitting it through peer-to-peer networks in XML or binary, depending on the version. Dridex has a range of other capabilities as well. It can also enable injection attacks, initiating additional malware downloads that let operators execute remote commands or inject code into specific programs. And recently, Dridex has started delivering ransomware. Dridex is hard to detect, as it can often bypass antivirus detection controls.
Impact / Significant Attacks
By December 2019, the US Treasury estimated Dridex had infected computers in hundreds of banks and financial institutions in over 40 countries, leading to more than $100 million in theft. In 2020, Dridex affected 3%-4% of organizations worldwide.