Dridex

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
Dridex is a well-known malware, specifically a banking Trojan, that has been utilized by cybercriminals to exploit and damage computer systems. The malware infiltrates systems through dubious downloads, emails, or websites, often unbeknownst to the user, and can steal personal information, disrupt operations, or hold data hostage for ransom. Threat actors have employed DLL side-loading techniques with Dridex, copying legitimate Microsoft executables and renaming the Dridex DLL.tmp files for this purpose. When executed, the Dridex loader uses AtomBombing to inject code into the process space used by explorer.exe, demonstrating its sophisticated attack methods. As the Ransomware as a Service (RaaS) model grew in popularity throughout 2020, the connection between first-stage malware and subsequent ransomware attacks became more apparent. Notably, the Dridex malware was linked to BitPaymer ransomware, illustrating how initial malware infections can pave the way for further malicious activities. In fact, Dridex was among the botnet families with the most command and control (C2) detections during the year, alongside Emotet, IcedID, QakBot, and TrickBot. The use of Dridex has been tracked to several notorious cybercrime groups, including UNC2165, also known as Evil Corp. This group began altering the ransomware it deployed after being sanctioned by the US in 2019 over its development and use of Dridex. Moreover, Dridex has been associated with other significant threats such as Log4Shell and Conti. Its delivery method, first observed in 2021, has been used to distribute a wide range of malware, notably the Dridex banking trojan. It's clear that Dridex continues to be a potent tool in the arsenal of cybercriminals.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Gandcrab
2
GandCrab, a threat actor, is known for its malicious activities involving ransomware attacks. Originating from Russian origins and evolving from Team Truniger, a former GandCrab affiliate, the group has been linked to numerous ransomware variants including Bad Rabbit, LockBit 2.0, STOP/DJVU, and REv
Gozi Isfb
1
Gozi ISFB, also known as Ursnif and Dreambot, is a malicious software (malware) that has been actively developed and distributed worldwide. This malware is designed to exploit computer systems, primarily targeting the banking and financial sectors by stealing passwords and credentials from victims.
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Trojan
Botnet
Ransomware
Spam
Loader
Lateral Move...
Exploit
Antivirus
Payload
Cybercrime
Fraud
Russia
Bot
Extortion
Macos
Crypter
Financial
exploited
Phishing
Ransom
Reconnaissance
Encryption
Malwarebytes
RaaS
Worm
Dropper
Downloader
Secureworks
Proxy
Scam
Bitcoin
Cybercrimes
Vpn
Infostealer
Spyware
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
EmotetUnspecified
6
Emotet is a highly dangerous and insidious malware that has resurfaced with increased activity this summer. Originally distributed via email attachments, it infiltrates systems often without the user's knowledge, forming botnets under the control of criminals for large-scale attacks. Once infected,
IcedIDUnspecified
4
IcedID is a malicious software (malware) designed to exploit and damage computer systems. It infects systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom
BitPaymerUnspecified
3
BitPaymer is a type of malware that operates as ransomware, encrypting files and demanding payment for their release. It was operated by the GOLD DRAKE threat group and was later reworked and renamed DoppelPaymer by the GOLD HERON threat group. As part of the Ransomware as a Service (RaaS) model tha
TrickBotUnspecified
3
TrickBot is a notorious form of malware that infiltrates systems to exploit and damage them, often through suspicious downloads, emails, or websites. Once it has breached a system, TrickBot can steal personal information, disrupt operations, and even hold data hostage for ransom. It has been linked
DoppelpaymerUnspecified
3
DoppelPaymer is a form of malware, specifically ransomware, known for its high-profile attacks on large organizations and municipalities. Originally based on the BitPaymer ransomware, DoppelPaymer was reworked and renamed by the threat group GOLD HERON, after initially being operated by GOLD DRAKE.
QakBotUnspecified
3
Qakbot is a potent malware, a malicious software designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it has the potential to steal personal information, disrupt operations, or e
UrsnifUnspecified
2
Ursnif, also known as Gozi or ISFB, is a type of malware that poses significant threats to computer systems and user data. It's often distributed through suspicious downloads, emails, or websites, infiltrating systems without the user's knowledge. Once installed, Ursnif can steal personal informatio
Gameover ZeusUnspecified
2
Gameover ZeuS, also known as P2P ZeuS, is a notorious piece of malware designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even
RaccoonUnspecified
2
Raccoon is a highly potent and cost-effective Malware-as-a-Service (MaaS) primarily sold on dark web forums, used extensively by Scattered Spider threat actors to pilfer sensitive data. As per the "eSentire Threat Intelligence Malware Analysis: Raccoon Stealer v2.0" report published on August 31, 20
ZeusUnspecified
2
Zeus is a type of malware, short for malicious software, designed to exploit and damage computers or devices. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, Zeus can steal personal information, disrupt operations, or even hold da
GoziUnspecified
2
Gozi is a notorious malware that has been linked to numerous cyber attacks. It's typically delivered through sophisticated malvertising techniques, often used in conjunction with other initial access malware such as Pikabot botnet agent and IcedID information stealer. When an individual accesses a c
ContiUnspecified
1
Conti is a type of malware, specifically ransomware, known for its ability to disrupt operations, steal personal information, and hold data hostage for ransom. The malicious software infiltrates systems via suspicious downloads, emails, or websites, often unbeknownst to the user. It has been used in
FormbookUnspecified
1
Formbook is a type of malware known for its ability to steal personal information, disrupt operations, and potentially hold data for ransom. The malware is commonly spread through suspicious downloads, emails, or websites, often without the user's knowledge. In June 2023, Formbook was observed being
Agent TeslaUnspecified
1
Agent Tesla is a malicious software (malware) that exploits and damages computer systems, often infiltrating the system through suspicious downloads, emails, or websites. This malware can steal personal information, disrupt operations, and potentially hold data for ransom. Agent Tesla has been obser
ANDROMEDAUnspecified
1
Andromeda is a type of malware, or malicious software, designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or hold data ho
GuLoaderUnspecified
1
GuLoader is a type of malware that infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, it can steal personal information, disrupt operations, or even hold data hostage for ransom. GuLoader is encrypted with NSIS Crypter and has
WannaCryUnspecified
1
WannaCry is a type of malware, specifically ransomware, that caused significant global disruption in 2017. It exploited Windows SMBv1 Remote Code Execution Vulnerabilities (CVE-2017-0144, CVE-2017-0145, CVE-2017-0143), which allowed it to spread rapidly and infect over 200,000 machines across more t
CarbanakUnspecified
1
Carbanak is a sophisticated type of malware, short for malicious software, that is designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt
LobshotUnspecified
1
Lobshot is a stealthy remote access malware that has been used by cybercriminals, notably Russian threat actors, in various malicious campaigns. It was featured alongside other well-known malware samples like DarkGate infostealer, Ducktail, and Redline in deceptive campaigns where it was embedded in
ClopUnspecified
1
Clop is a notorious malware, short for malicious software, known for its disruptive and damaging effects on computer systems. It primarily infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, Clop can steal personal information, disrupt o
REvilUnspecified
1
REvil is a notorious form of malware, specifically ransomware, that infiltrates systems to disrupt operations and steal data. The ransomware operates on a Ransomware as a Service (RaaS) model, which gained traction in 2020. In this model, REvil, like other first-stage malware such as Dridex and Goot
BazarUnspecified
1
"Bazar" is a form of malware, a malicious software designed to exploit and damage computer systems. This harmful program can infiltrate systems via suspicious downloads, emails, or websites, often unbeknownst to the user. Once it gains access, it can steal personal information, disrupt operations, o
DyreUnspecified
1
Dyre, also known as Dyreza or Dyzap, is a banking Trojan that was initially designed to monitor online banking transactions with the aim of stealing passwords, money, or both. It first emerged in 2009 and 2010, targeting victim bank accounts held at various U.S.-based financial institutions. These i
Raccoon StealerUnspecified
1
Raccoon Stealer is a form of malware that was first identified in 2019. Developed by Russian-speaking coders and initially promoted on Russian-language hacking forums, the malicious software was designed to steal sensitive data from victims, including credit card information, email credentials, and
CobaltstrikeUnspecified
1
CobaltStrike is a notorious form of malware that has been used in conjunction with other malicious software including IcedID, Qakbot, BazarLoader, Conti, Gozi, Trickbot, Quantum, Emotet, and Royal Ransomware. This malware is typically delivered through suspicious downloads, emails, or websites, ofte
Get2Unspecified
1
Get2 is a type of malware, harmful software designed to infiltrate and damage computer systems or devices. It can be unknowingly downloaded through suspicious emails, downloads, or websites, enabling it to steal personal information, disrupt operations, or hold data hostage for ransom. Among the mos
SocgholishUnspecified
1
SocGholish is a malicious software (malware) known for its ability to exploit and damage computer systems by stealing personal information, disrupting operations, or holding data hostage for ransom. Notably, in 2023, several distinct website malware campaigns were identified to serve SocGholish malw
AzorultUnspecified
1
Azorult is a type of malware, or malicious software, that infiltrates systems to exploit and damage them, often without the user's knowledge. It has historically been one of the favored infostealers sold on the marketplace 2easy, alongside RedLine, Raccoon, Vidar, and Taurus. However, as of late Feb
FakeupdatesUnspecified
1
FakeUpdates, also known as SocGholish, is a JavaScript-based loader malware that primarily targets Microsoft Windows-based environments. The malware has been in operation for over five years and uses compromised websites to trick users into running a fake browser update. In addition to its deceptive
GoznymUnspecified
1
Goznym is a malicious software, or malware, that gained significant attention in February 2016 after incorporating leaked ISFB code. This potent combination led to its resurgence in the cybercrime market, where it was employed by threat actors to exploit and damage computer systems. The malware coul
CutwailUnspecified
1
Cutwail is a notorious malware that has been associated with various botnets, including Necurs, Andromeda, and Dridex, at different stages of their lifecycle. It has been implicated in the distribution of malicious payloads such as IcedID, Gozi, and Pushdo, often using crypters like Hexa, Forest, Sn
JssloaderUnspecified
1
JssLoader is a malware often used by the ransomware gang FIN7, also known as Sangria Tempest, Elbrus, Carbon Spider, and others. This malicious software is typically delivered through deceptive tactics such as email lures, including invoice- and payment-themed decoy messages that trick users into do
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
TA505Unspecified
4
TA505, also known as Cl0p Ransomware Gang and Lace Tempest, is a highly active and sophisticated cybercriminal group. The group has been associated with various high-profile cyber-attacks, demonstrating adaptability through a multi-vector approach to their operations. In June 2023, the U.S. Cybersec
Indrik SpiderUnspecified
2
Indrik Spider is a notable threat actor known for its cybercriminal activities, particularly in the realm of ransomware. In July 2017, the group entered the targeted ransomware sphere with BitPaymer, using file-sharing platforms to distribute the BitPaymer decryptor. This shift in operations saw Ind
Evil CorpUnspecified
2
Evil Corp, a threat actor group based in Russia, has been identified as a significant cybercrime entity responsible for the execution of malicious actions. The alleged leader of this group is Maksim Yakubets, who is notably associated with Dridex malware operations. The U.S. Treasury imposed sanctio
fin11Unspecified
2
FIN11, a threat actor group also known as Lace Tempest or TA505, has been linked to the development and deployment of Cl0p ransomware. This malicious software is believed to be a variant of another ransomware, CryptoMix, and is typically used by FIN11 to encrypt files on a victim's network after ste
Hive0065Unspecified
1
Hive0065, also known as Graceful Spider, TA505, Gold Evergreen, TEMP.Warlock, Chimborazo, or FIN11, is a financially motivated cybercrime group that has been actively targeting various industries such as finance, retail and restaurants since at least 2014. The group has been notorious for distributi
EXOTIC LILYUnspecified
1
Exotic Lily, an initial access broker (IAB), has been active since at least September 2021. The entity conducts highly sophisticated phishing campaigns to gain initial access to organizations and then sells this access to other threat actors, including ransomware groups. A notable example of their m
Quant LoaderUnspecified
1
Quant Loader is a significant threat actor in the realm of cybersecurity, known for executing actions with malicious intent. It has been linked to various malware campaigns, distributing harmful software such as GandCrab ransomware, DreamSmasher, Dridex, and itself - Quant Loader. The threat actor o
Unc2165Unspecified
1
UNC2165 is a financially motivated threat actor group that has been linked to multiple LockBit ransomware intrusions, as per research conducted by Mandiant. This group shares numerous overlaps with Evil Corp, another notorious cybercrime organization. The activity of UNC2165 has been tracked since t
DreamsmasherUnspecified
1
None
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Gozi NeverquestUnspecified
1
None
Log4ShellUnspecified
1
Log4Shell is a software vulnerability, specifically a flaw in the design or implementation of the popular Java logging library, Log4j. Identified as CVE-2021-44228, this vulnerability allows an attacker to remotely execute arbitrary code, often leading to full system compromise. Advanced Persistent
CVE-2017-11882Unspecified
1
CVE-2017-11882 is a software vulnerability present in Microsoft's Equation Editor, allowing for the execution of malicious code. This vulnerability was exploited by a tool known as Royal Road, which is shared among various Chinese state-sponsored groups. The tool facilitates the creation of harmful
CVE-2017-0199Unspecified
1
CVE-2017-0199 is a notable software vulnerability, specifically a flaw in the design or implementation of Microsoft Office's Object Linking and Embedding (OLE) feature. This vulnerability has been exploited over the years to spread various notorious malware families. In 2017, it was used to dissemin
Source Document References
Information about the Dridex Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Unit42
5 months ago
Intruders in the Library: Exploring DLL Hijacking
Checkpoint
5 months ago
Maldocs ­of Word and Excel: Vigor of the Ages - Check Point Research
CERT-EU
7 months ago
One paid out, one did not • The Register | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
8 months ago
Log4Shell: A Persistent Threat to Cybersecurity - Two Years On - Cybersecurity Insiders
CERT-EU
8 months ago
Are DarkGate and PikaBot the new QakBot?
CERT-EU
9 months ago
Latest RAT attack surge bypasses Microsoft's XLL block
CERT-EU
9 months ago
DG NCA Graeme Biggar delivers RUSI's 4th Annual Security Lecture
MITRE
a year ago
Tricks of the Trade: A Deeper Look Into TrickBot's Machinations
CERT-EU
10 months ago
Update: The 2023 Malware League Table
CERT-EU
10 months ago
Insider Threat Awareness Month: Protecting Your Business from Within
CERT-EU
10 months ago
Storm-0324 Exploits MS Teams Chats to Facilitate Ransomware Attacks
CERT-EU
10 months ago
Microsoft Warns of New Phishing Campaign Targeting Corporations via Teams Messages | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
10 months ago
August 2023's Most Wanted Malware : New ChromeLoader Campaign Spreads Malicious Browser Extensions while QBot is Shut Down by FBI – Global Security Mag Online
CERT-EU
a year ago
Three malware loaders behind 80% of intrusions, researchers find
CERT-EU
a year ago
Cybersecurity Companies Report Surge in Ransomware Attacks
CERT-EU
a year ago
Eight ways to guard against botnet attacks on enterprise networks
CERT-EU
a year ago
Patch Against Exploit Kits. Understanding How Threat Actors Target Your Defenses
CERT-EU
a year ago
Locky Ransomware 101: Everything You Need to Know
BankInfoSecurity
a year ago
Moscow Court Convicts Former Group-IB Chief for Treason
CERT-EU
a year ago
Jailed On Treason Charges, A Russian Cybersecurity Exec Goes On The Offensive | #cybercrime | #infosec | National Cyber Security Consulting