S0384 Dridex
Dridex is a prolific banking Trojan that first appeared in 2014. By December 2019, the US Treasury estimated Dridex had infected computers in hundreds of banks and financial institutions in over 40 countries, leading to more than $100 million in theft. Dridex was created from the source code of the Bugat banking Trojan (also known as Cridex).234
| Item | Value |
|---|---|
| ID | S0384 |
| Associated Names | Bugat v5 |
| Type | MALWARE |
| Version | 2.1 |
| Created | 30 May 2019 |
| Last Modified | 16 April 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| Bugat v5 | 2 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Dridex has used POST requests and HTTPS for C2 communications.31 |
| enterprise | T1185 | Browser Session Hijacking | Dridex can perform browser attacks via web injects to steal information such as credentials, certificates, and cookies.2 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | Dridex has encrypted traffic with RC4.3 |
| enterprise | T1573.002 | Asymmetric Cryptography | Dridex has encrypted traffic with RSA.3 |
| enterprise | T1574 | Hijack Execution Flow | - |
| enterprise | T1574.001 | DLL | Dridex can abuse legitimate Windows executables to side-load malicious DLL files.5 |
| enterprise | T1106 | Native API | Dridex has used the OutputDebugStringW function to avoid malware analysis as part of its anti-debugging technique.1 |
| enterprise | T1027 | Obfuscated Files or Information | Dridex’s strings are obfuscated using RC4.1 |
| enterprise | T1090 | Proxy | Dridex contains a backconnect module for tunneling network traffic through a victim’s computer. Infected computers become part of a P2P botnet that can relay C2 traffic to other infected peers.21 |
| enterprise | T1090.003 | Multi-hop Proxy | Dridex can use multiple layers of proxy servers to hide terminal nodes in its infrastructure.1 |
| enterprise | T1219 | Remote Access Tools | Dridex contains a module for VNC.2 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | Dridex can maintain persistence via the creation of scheduled tasks within system directories such as windows\system32\, windows\syswow64, winnt\system32, and winnt\syswow64.5 |
| enterprise | T1518 | Software Discovery | Dridex has collected a list of installed software on the system.1 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.010 | Regsvr32 | Dridex can use regsvr32.exe to initiate malicious code.5 |
| enterprise | T1082 | System Information Discovery | Dridex has collected the computer name and OS architecture information from the system.1 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | Dridex has relied upon users clicking on a malicious attachment delivered through spearphishing.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0092 | TA505 | 678 |
| G0119 | Indrik Spider | 9104 |
References
-
Check Point Research. (2021, January 4). Stopping Serial Killer: Catching the Next Strike. Retrieved September 7, 2021. ↩↩↩↩↩↩↩↩
-
Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, October 13). Dridex (Bugat v5) Botnet Takeover Operation. Retrieved May 31, 2019. ↩↩↩↩↩
-
Slepogin, N. (2017, May 25). Dridex: A History of Evolution. Retrieved May 31, 2019. ↩↩↩↩
-
U.S. Department of Treasury. (2019, December 5). Treasury Sanctions Evil Corp, the Russia-Based Cybercriminal Group Behind Dridex Malware. Retrieved September 15, 2021. ↩↩
-
Red Canary. (2021, February 9). Dridex - Red Canary Threat Detection Report. Retrieved August 3, 2023. ↩↩↩
-
Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019. ↩
-
Proofpoint Staff. (2018, June 8). TA505 shifts with the times. Retrieved May 28, 2019. ↩
-
Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020. ↩
-
Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021. ↩
-
Podlosky, A., Feeley, B. (2021, March 17). INDRIK SPIDER Supersedes WastedLocker with Hades Ransomware to Circumvent OFAC Sanctions. Retrieved September 15, 2021. ↩