loader gif

Dridex Trojan: A glimpse into the banking trojan’s malicious activities

trojan,cyber,malware,attack,computer,security,breach,data,horse,malicious,animal,background,black,board,business,circuit,code,crime,damage,danger,hack,hacker,harm,illustration,infiltrate,infiltration,internet,metaphor,monitor,penetration,phishing,program,red,risk,software,spy,spyware,steal,symbol,system,tech,technology,threat,virus,vulnerability,vulnerable,web
  • Dridex is capable of stealing user credentials, keystroke logging, and web injects.
  • This trojan is primarily distributed via phishing email campaigns with attached Microsoft Word documents containing malicious macros.

Dridex is a banking trojan which was first spotted in 2012. This trojan is primarily distributed via phishing email campaigns with attached Microsoft Word documents containing malicious macros.

In October 2015, the United States Department of Homeland Security (DHS), in collaboration with the Federal Bureau of Investigation (FBI) and the Department of Justice (DOJ) released a Technical Alert about the Dridex trojan.

According to the alert, Dridex is capable of stealing user credentials, keystroke logging, and web injects. This trojan has been used in various campaigns that launch distributed denial-of-service (DDoS) attacks and harvest users' banking credentials.

According to a technical report published by Symantec, Dridex trojan is capable of targeting 300 different organizations in over 40 regions.

Dridex version v.3.161

Dridex version v.3.161, was first spotted on January 06, 2016. This new version was then used in redirection attack campaigns targeting the United Kingdom. The spam campaign included a Microsoft Office file attachment disguised as an invoice. Upon opening the attachment Drixed trojan gets downloaded on the compromised computer.

Dridex distributes Locky ransomware

In March 2016, researchers observed Dridex trojan distributing the Locky Ransomware via JavaScript attachments. Once dropped, Locky ransomware encrypts all the files and leaves a ransom note behind.

Dridex targets US banks

Researchers noted that the Dridex trojan has shifted its focus from targeting European users. This trojan has been evolved to target US banks. Its targets include U.S. bank accounts, users of social media sites, credit card companies, and financial investment corporations.

AtomBombing technique

Researchers spotted a new version of Dridex banking trojan, Dridex version 4. This new version uses a new injection method based on the “AtomBombing” technique, to evade antimalware solutions. This version was observed in malware campaigns against UK banks.

Connections with BitPaymer ransomware

Researchers spotted code similarities between Dridex trojan and BitPaymer ransomware. They analyzed the samples of FriedEx also known as BitPaymer, and found out that Bitpaymenr uses the same techniques as Dridex to hide as much information as possible about its behavior.

Whitelisting bypass technique

Security researchers identified a new variant of the Dridex trojan that uses an application whitelisting bypass technique to avoid mitigation done through Windows Script Host. This variant was distributed via malspam campaign containing malicious Word documents.

Dridex distributed via Spelevo exploit kit

In June 2019, researchers observed a cyberespionage campaign that distributed a newly discovered exploit kit named Spelevo. Once installed, the exploit kit first attempts to exploit the CVE-2018-15982 vulnerability in Adobe Flash Player and then looks out for Internet Explorer with use-after-free (CVE-2018-8174) vulnerability. This Spelevo exploit kit was used by attackers to deliver two banking trojans - IcedID and Dridex.

Malspam campaign delivers Dridex trojan and RMS RAT

In July 2019, researchers observed a new malspam campaign that delivers Dridex banking trojan and RMS RAT via malicious Microsoft Word document attachments. The phishing emails include malicious ZIP archives containing XLS (Microsoft Excel) documents disguised as fake eFax messages. The malicious documents are embedded with a macro which is designed to download and launch the Dridex trojan and RMS RAT. Upon execution, the Dridex trojan collects credentials from the web browsers and the RMS RAT manages the infected systems.

loader gif