Dridex

Dridex is a very evasive and technically complex banking Trojan. Despite being based on a relatively old malware code, it was substantially updated over the years and became capable of using very effective infiltration techniques that make this malware especially dangerous.

Type
Trojan
Origin
ex-USSR territory
First seen
1 January, 2014
Last seen
16 July, 2021
Global rank
28
Week rank
12
Month rank
13
IOCs
953

What is Dridex malware?

Dridex is one of the most technologically advanced banking trojans currently active. The primary target of this malware is stealing banking credentials from its victims. Dridex has been around since 2014 and has benefited from very consistent updates that helped the malware evolve and become more and more capable.

Thanks to constant evolution, Dridex currently supports very advanced functions like the Atom Bombing injection technique, web injects into Chrome, and Microsoft Word zero-day exploit which helped the Dridex malware to make its way into countless machines.

Dridex is classified to be the evolution of the GameOver ZeuS, borrowing a C&C architecture from this virus and further improving upon it, making control servers very hard to pinpoint. The Dridex banking trojan also features similarities to other malware – CRIDEX and Bugat. However, while the latest relies mostly on vulnerabilities as an attack vector, Dridex also uses mail spam to infect the machines of its victims.

General description of Dridex malware

According to the new information, US and UK law enforcement organizations uncovered the identities of people behind Evil Corp — the cybergang that developed Dridex and several other malicious programs. Maxim Yakubets who is living in Moscow is suspected to be the group’s leader. He has been seen driving a Lamborghini Huracan with a number plate that reads “thief” in Russian. As a result of the investigation, the US Department of State has announced a $5 million reward for turning in Yakubets. This is the largest reward ever offered for a cybercriminal.

The spike in the popularity of the Dridex trojan was recorded in the period between its first spotting in the wild until the year 2015. The subsequent malicious campaigns were fewer in number and perhaps not as global as the ones observed before 2015. Usually, the malware targets victims in Europe with over half of recorded infections taking place in the UK, though, German, French, and US users are also in danger. Notably Dridex banking Trojan never attacks victims in the Russian Federation, which could indicate that the group behind this threat comes from this country. Dridex is one of the most popular banking Trojans in the world, placing at the seventh spot out of the top ten most widely spread viruses of this type by the number of infections in 2015, according to the data of flashpoint-intel.

The malware can perform a series of data-stealing actions including Form-grabbing, clickshot taking, and site injections. This allows Dredex to steal sensitive data such as logins and passwords when the victim logs into their banking account. This data can then be used by the attackers in future campaigns or sold to other criminals. In addition, the malware is capable of taking screenshots, allowing hackers to collect personal information about the victim. What’s more, the malware is able to change the content of web pages that the user is viewing using web-inject techniques, so when the user enters his login and password, instead of logging into a personal account this sensitive data is sent directly to the attackers.

Dridex trojan uses a Botnet as a Service operation model which entitles that infected PCs can become attack sources for future campaigns. This helps the malware to spread more efficiently and makes its attacks more global.

Some of the previous versions of this malware used to have a fairly unique persistence mechanism which researchers called “invisible”. It was dubbed so because the malware’ dynamic link library (DLL) was saved on a disk, and a registry value was generated to run the malicious DLL at system startup just only before the PC would be turned off.

The new version of Dridex’s maldocs contains hundreds of URLs from which to download the malware. This approach makes malware hard to take down by hosting providers and domain registers. It also increases the chances of downloading the payload. Security controls need to block a big number of URLs to prevent the malware from being downloaded.

Dridex was once again updated and stopped using the debug output message loop. Malware actors also switched their defense evasion technique from the usage of XSL Script Processing (ID T1220) to Signed Binary Proxy Execution using Rundll32 (ID T1218.011).

During 2020 the "team" behind Dridex heavily used Excel malicious documents with Macro 4.0 in its campaigns. Often these maldocs checked the language of the system in which they were opened and quit execution if it didn’t match.

Malware analysis of Dridex trojan

A video simulation recorded on ANY.RUN allows us to examine the lifecycle of the Dridex malware.

process graph of the dridex execution Figure 1: Process graph generated by ANY.RUN allows us to see the main processes of Dridex execution.

text report of the dridex analysis Figure 2: Displays the customizable text report generated by ANY.RUN.

Execution of Dridex malware

The execution process of Dridex is pretty short and straightforward. Similar to a lot of malware nowadays, the banking Trojan makes its way into the victim's system as a malicious attachment, usually a Microsoft Office file, which is delivered in spam emails. After the user downloads and opens such a file and enables macros, the infection process begins. Dridex trojan is capable of utilizing different techniques to deliver the main payload. The payload can be downloaded directly by Microsoft Office or by injected system applications, for example, explorer.exe, or leveraged by the vulnerabilities exploit such as Microsoft Equation Editor. After the downloaded payload starts execution, it begins the main malicious activity such as writing itself into autorun in the registry, searching for installed software, executing scripts, connecting to the C2 server, and more.

Prevention of Dridex attacks

Users can avoid getting infected by banking Trojans such as Dridex by staying clear of suspiciously looking emails. To stay completely safe one should never launch files downloaded from emails that were delivered from unknown senders. A clear indication of the malicious nature of downloaded files can be that when opened, Microsoft Office files will prompt the user to enable macros – something users should never do to avoid infection. Additionally, it is advised to keep an updated version of a trusted antivirus product on a machine at all times.

How does Dridex malware spread?

Dridex mainly spreads using spam email campaigns and makes its way into targeted machines in the form of malicious email attachments. The emails are designed to resemble financial related messages, such as invoice delivery from real businesses, and usually contain a malicious Microsoft Office document as an attachment.

Social engineering is used to trick potential victims into downloading and opening attached files, which when run execute a malicious macro that installs the Dridex banking trojan on the machine.

How to detect Dridex using ANY.RUN?

If Dridex trojan wasn't detected or you want to double-check you can use additional ANY.RUN functionality to get more from your analysis. During execution, Dridex unpacks itself in memory and enters the long-drawn-out loop. On each loop iteration malware output debug string "Installing...", so if you run into this first think that this is Dridex

dridex debug output Figure 3: Dridex debug output

Conclusion

Even though Dridex popularity has declined somewhat since its initial release, it is still an extremely popular and capable malware that is used in several attacks targeting companies in Europe and North America. Thanks to advanced persistence mechanisms and almost untraceable C&C servers, Dridex attacks are very hard to battle, making this malware extremely effective.

Thankfully, malware hunting services like ANY.RUN allow researchers to study threats similar to Dridex to set up effective countermeasures.

IOCs

IP addresses
160.153.136.3
104.23.98.190
46.22.116.163
185.246.87.202
192.99.41.136
198.71.233.227
195.128.123.215
95.142.155.245
160.153.132.207
160.153.137.170
107.170.146.252
188.165.17.91
69.16.231.58
54.38.143.246
31.220.2.120
52.53.192.135
217.79.184.243
131.255.5.12
18.224.165.22
212.27.63.105
Hashes
8f76ea98651e914e808bde9f0e491a4252bc218c5ef40f800cceefdccac002c1
efb6ef1dffa3bc6f3b7796be4f5681b9da6a243b09029c2381b4009bf6b6eb3d
c29e8c0912238929dd79fd40b49019914c13f52540bbb0cf189a19619d46ae35
abe0c08037af3a6f1ee5f815c0c58d3c61aa8c4270ed432839872d0ea758b1bc
e99a54ca11fd5e27c5085c24304103a348fa2a550ea1fa934fca541551c511d6
ec37d48c02f7232e3d60b44220b1f4647a36f04526e7e440fa88e94d2d0bf9ed
7b38b9c14389d7c57591a3aa4ae8a8f847ff7314f40e9cd2987ee5d4d22e84e9
e30688f06c8ce5bce84f690a508533262e068cf57a3d3a1d63baff6d3d391f6e
c0dc89bdb2f7c4c6ac13491b5dcf43712836a9e5091338572dcaafd711dd38c8
ca29ef4568817379ea2e7fd8ef4f2eadf4d65c554c5d18661996b87a3512f8e8
54a381ae101d3e95b0f3d7b7b4957600acabb7c949f2ed678cb22bb6d11d2843
bf1e36ac51a1a92eb6b5f4c68b67dfccc0692841d73045136cb9d7bc53bcf46d
b4834d24538514089628f7ad19d935e4e89675e2d9260f6cf0e39e61633caede
f24cec525e6b0580e11a11905b11d7015ca0715464e04648f2fcc4642258d408
0098b586935058cbae3b6713d281f47c361fe87c5b9148add360cfb84cec73e0
3069915e03f560e6f95bb6daab1e06752edf186a85cf82ddc868fb0cc308adc9
74a30c278e5592bf84a3b07da0edb9dc07d79ca9ec2df55049193f209a5e0aa4
1bea16ff5d8d503b62b9bf850c50d6493d73bf5802835102d36ede5d24b5e6e0
df49023a205f8cbd0481142f2206cce03fd367cf522d51ba4f282564c7a1b801
ae13c96938d54f2f37d2fe5a7d267e2d4d3b7f5215bfbdc3cedf312b7e2fa412
Domains
www.asappiling.com.au
capbonconsulting.com
www.capbonconsulting.com
www.koshersushiparty.com
www.shreveportnightlife.com
okckratom.com
bitqueen.com
www.waystoreducebellyfat.com
themidlandstrainingpartnership.co.uk
www.ivsdc.com
www.lgnutritionconsulting.com
shingletonfarms.com
www.shingletonfarms.com
winecountrymobilespa.com
winecountrymobilespa.com
www.lemoto.info
rbizassociates.com
www.rackingusa.com
showthescam.com
queenofartslv.com

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild, this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More