Dridex

Dridex is one of the most technologically advanced banking trojans currently active. The primary target of this malware is stealing banking credentials from its victims. Dridex has been around since 2014 and has benefited from very consistent updates that helped the malware evolve and become more and more capable.

  • Type
    Trojan
  • Origin
    Unknown
  • First seen
    1 January, 2014
  • Last seen
    21 November, 2019
Global rank
27
Week rank
22
Month rank
24
IOCs
311

What is Dridex malware?

Dridex is one of the most technologically advanced banking trojans currently active. The primary target of this malware is stealing banking credentials from its victims. Dridex has been around since 2014 and has benefited from very consistent updates that helped the malware evolve and become more and more capable.

Thanks to constant evolution, Dridex currently supports very advanced functions like the Atom Bombing injection technique, web injects into Chrome and Microsoft Word zero-day exploit which helped the Dridex malware to make its way into countless machines.

Dridex is classified to be the evolution of the GameOver ZeuS, borrowing a C&C architecture from this virus and further improving upon it, making control servers very hard to pinpoint. The Dridex banking trojan also features similarities to another malware with a very similar name – CRIDEX. However, while the latest relies mostly on vulnerabilities as an attack vector, Dridex also uses mail spam to infect the machines of its victims.

General description of Dridex malware

The spike of the popularity of Dridex was recorded in the period between its first spotting in the wild until the year 2015. The subsequent malicious campaigns were fewer in number and perhaps not as global as the ones observed before 2015. Usually, the malware targets victims in Europe with over half of recorded infections taking place in the UK, though, German, French and US users are also in danger. Notably Dridex banking Trojan never attacks victims in the Russian Federation, which could indicate that the group behind this threat comes from this country. Dridex is one of the most popular banking Trojans in the world, placing at the seventh spot out of the top ten most widely spread viruses of this type by the number of infections in 2015, according to the data of flashpoint-intel.

The malware can perform a series of data-stealing actions including Form-grabbing, clickshot taking, and site injections. This allows Dredex to steal sensitive data such as logins and passwords when the victim logs into their banking account. This data can then be used by the attackers in future campaigns or sold to other criminals. In addition, the malware is capable of taking screenshots, allowing hackers to collect personal information about the victim. What’s more, the malware is able to change the content of web pages that the user is viewing using web-inject techniques, so when the user enters his login and password, instead of logging into a personal account this sensitive data is sent directly to the attackers.

Dridex uses a Botnet as a Service operation model which entitles that infected PCs can become attack sources for future campaigns. This helps the malware to spread more efficiently and makes its attacks more global.

Some of the previous versions of this malware used to have a fairly unique persistence mechanism which researchers called “invisible”. It was dubbed so because the malware’ dynamic link library (DLL) was saved on a disk, and a registry value was generated to run the malicious DLL at system startup just only before the PC would be turned off.

Malware analysis of Dridex

A video simulation recorded on ANY.RUN allows us to examine the lifecycle of the Dridex malware.

process graph of the dridex execution Figure 1: Process graph generated by ANY.RUN allows us to see the main processes of Dridex execution.

text report of the dridex analysis Figure 2: Displays the customizable text report generated by ANY.RUN.

Execution of Dridex

The execution process of Dridex is pretty short and straightforward. Similarly to a lot of malware nowadays, the banking Trojan makes its way into the victim's system as a malicious attachment, usually a Microsoft Office file, which is delivered in spam emails. After the user downloads and opens such a file and enables macros, the infection process begins. Dridex is capable of utilizing different techniques to deliver the main payload. The payload can be downloaded directly by Microsoft Office or by injected system applications, for example, explorer.exe, or leveraged by the vulnerabilities exploit such as Microsoft Equation Editor. After the downloaded payload starts execution, it begins the main malicious activity such as writing itself into autorun in the registry, searching for installed software, executing scripts, connecting to the C2 server, and more.

Prevention of Dridex attacks

Users can avoid getting infected by banking Trojans such as Dridex by staying clear of suspiciously looking emails. To stay completely safe one should never launch files downloaded from emails which were delivered from unknown senders. A clear indication of the malicious nature of downloaded files can be that when opened, Microsoft Office files will prompt the user to enable macros – something users should never do to avoid infection. Additionally, it is advised to keep an updated version of a trusted antivirus product on a machine at all times.

How does Dridex malware spread?

Dridex mainly spreads using spam email campaigns and makes its way into targeted machines in the form of malicious email attachments. The emails are designed to resemble financial related messages, such as invoice delivery from real businesses and usually contain a malicious Microsoft Office document as an attachment.

Social engineering is used to trick potential victims into downloading and opening attached files, which when run execute a malicious macro which installs the Dridex banking trojan on the machine.

How to detect Dridex using ANY.RUN?

If Dridex wasn't detected or you want to double-check you can use additional ANY.RUN functionality to get more from your analysis. During execution, Dridex unpacks itself in memory and enters the long-drawn-out loop. On each loop iteration malware output debug string "Installing...", so if you run into this first think that this is Dridex

dridex debug output Figure 3: Dridex debug output

Conclusion

Even though Dridex popularity has declined somewhat since its initial release, it is still an extremely popular and capable malware which is used in several attacks targeting companies in Europe and North America. Thanks to advanced persistence mechanisms and almost untraceable C&C servers, Dridex attacks are very hard to battle, making this malware extremely effective.

Thankfully, malware analysis services like ANY.RUN allow researchers to study threats similar to Dridex to set up effective countermeasures.

IOCs

IP addresses
160.153.136.3
31.220.2.120
67.225.226.204
103.49.94.77
198.71.233.227
212.59.117.207
91.222.139.45
67.227.241.204
67.43.9.168
67.43.9.168
161.117.182.74
77.244.211.51
162.219.250.21
47.88.220.18
161.117.182.37
8.208.15.28
8.208.9.39
8.208.3.66
67.225.226.24
23.249.161.109
Hashes
ca397c101994af2ee137899a982fb0a6266711d8fbd97305e6a411d5a2018bf9
b7e7aa0d628ab0532b3d073fa17283ea87d775c28bcea2d8e6b05cb39627af8e
08a00c9be7dd2e64e9b0f6ea85f159275c913faf0aad51884a1eeab3822af246
89e891eaea660c49e00c55a82e71015e6aba80fa429a6c2e685b827f7ce8fd39
8f5f71edebaf6f87589fa375be416b2821e8ec82e89ceb936b8380bc11ff6ca1
60d395420a699f103fa44fa3a46d6b4af98816b3f26887ae6310844b007b9a59
934dc7b00f858f96da7701a0be0637db1a4c7a06eaa3f2c59a7a8fa1a25ba995
5442de84e4a18be9f79028318239672fe0c972b67a40ee7b5c07db97900b8cbb
aee2f6517fcc045e8da2a285bf8c5ac8dc360a95aef932f898a7fc644a6e2e68
3456415723656eef7b0a8b0f655bf5ad0da411df02839dcfb148ea3b7fdffdf0
2eaeadc2779580c3caa33bdea17a5f8ec5fc793f22dee637aa654c6e4867c34c
53ed98aefe73cdfc4b3144f03d22f3f1cfd7592e49f41df4ae6c67f6a3f10bd7
70cd5522ad374e87d7be0f439ed36defb73c997f1d469cfd518d0c4f8a165b45
90e5133c08cc0a37925e6279c962f5b88a18a5eb864630ff9b9d4d082ceca08a
8ba64149cca230097d37d88115de4df457cf3e9bf36809a3fcd6637f9e52d9fb
6df776f84b76fc4792fd18b81c7c36529fdb54f49f251c1b87ce44004edfffeb
02106517466a59024a064ffefb42d7edb791fc2e7f5222f332428abd945318df
23590f8dd0fc059605ac01483c520cd5260366b5c8edb5c70e645dbfb53d21cd
fa747f9d2f329d16947eace988d440bc1ace2f8894dae0dfc5668f1283808e8f
eb2c147c44265a3690c21048e4ac0a29acb05a30c3de0c8838b802ba9c893e65
Domains
isns.net
www.safeclean.services
happykidz.com.au
phluxuryfabrics.com
ip-160-153-136-3.ip.secureserver.net
florissantfire.com
europeancirclenyc.com
www.royalhair.info
britainrewards.com
expertmediator.ca
hunterdirectional.com
mavlet.com
iprojectsolutions.com
www.iprojectsolutions.com
iprojectcloseout.com
iplantables.com
opusafrica.com
www.planetenv.com
iashep.org
www.iashep.org

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a remote access trojan available as MaaS ( Malware-As-A-Service ). Adwind can collect user and system data, control the webcam of the infected machine, capture screenshots, install and run other malicious programs, log keystrokes, steal web browser passwords and more.
Read More
AgentTesla screenshot
AgentTesla
agenttesla trojan rat stealer
Agent Tesla is a password stealer spyware that has been around since 2014. The malware can be used by attackers to spy on victims, allowing them to see everything that has been typed in supported programs and web-browsers.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult is an information stealer malware that is targeted at stealing credentials and accounts. Updated multiple times over the years, AZORult continues to be an active concern for the users, stealing information such as banking passwords, credit card details, browser histories, and even cryptocurrency.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is a banking trojan that was spotted in the wild in 2018. Danabot differs from competing Trojans thanks to its robust delivery system and modular design. Since its first appearance, Danabot has obtained high popularity among cybercriminals and became an active threat in multiple regions of the world.
Read More
Emotet screenshot
Emotet
emotet trojan loader banker
Emotet is an extremely sophisticated and destructive banking Trojan used to download and install other malware. First recorded in 2014, Emotet has gained advanced capabilities over the course of its lifetime. Today Emotet is targeting governments, corporations, small businesses and individuals, focusing on Europe, America, and Canada.
Read More
FlawedAmmyy screenshot
FlawedAmmyy
flawedammyy trojan rat
FlawedAmmyy is a Remote Access Trojan – a malware that is utilized by attackers to take full control over the target machine. It is based on the source code of a completely legitimate program Ammyy Admin. Despite this RAT being recorded as a new malware in 2018, some researchers suggest that it has been in use since 2016.
Read More