Skip to content

S0384 Dridex

Dridex is a prolific banking Trojan that first appeared in 2014. By December 2019, the US Treasury estimated Dridex had infected computers in hundreds of banks and financial institutions in over 40 countries, leading to more than $100 million in theft. Dridex was created from the source code of the Bugat banking Trojan (also known as Cridex).123

Item Value
ID S0384
Associated Names Bugat v5
Version 2.0
Created 30 May 2019
Last Modified 01 October 2021
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
Bugat v5 1

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Dridex has used POST requests and HTTPS for C2 communications.24
enterprise T1185 Browser Session Hijacking Dridex can perform browser attacks via web injects to steal information such as credentials, certificates, and cookies.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography Dridex has encrypted traffic with RC4.2
enterprise T1573.002 Asymmetric Cryptography Dridex has encrypted traffic with RSA.2
enterprise T1106 Native API Dridex has used the OutputDebugStringW function to avoid malware analysis as part of its anti-debugging technique.4
enterprise T1027 Obfuscated Files or Information Dridex‘s strings are obfuscated using RC4.4
enterprise T1090 Proxy Dridex contains a backconnect module for tunneling network traffic through a victim’s computer. Infected computers become part of a P2P botnet that can relay C2 traffic to other infected peers.14
enterprise T1090.003 Multi-hop Proxy Dridex can use multiple layers of proxy servers to hide terminal nodes in its infrastructure.4
enterprise T1219 Remote Access Software Dridex contains a module for VNC.1
enterprise T1518 Software Discovery Dridex has collected a list of installed software on the system.4
enterprise T1082 System Information Discovery Dridex has collected the computer name and OS architecture information from the system.4
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File Dridex has relied upon users clicking on a malicious attachment delivered through spearphishing.4

Groups That Use This Software

ID Name References
G0092 TA505 567
G0119 Indrik Spider 893