Dridex

Malware updated 2 months ago (2024-10-02T22:00:56.981Z)
Download STIX
Preview STIX
Dridex is a notorious malware, specifically a banking Trojan, designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. This malicious software was primarily used by the Russian cybercriminal group, Evil Corp, founded in 2014. The group targeted banks and financial institutions across more than 40 countries, leading to criminal profits exceeding $100 million. Dridex was also linked to BitPaymer ransomware, another tool in Evil Corp's arsenal. The group's leader, Maksim Yukabets, allegedly used the substantial profits from Dridex to fund a lavish lifestyle, including the purchase of a Lamborghini. Throughout 2020, as the Ransomware as a Service (RaaS) model gained traction, connections between first-stage malware like Dridex and subsequent ransomware attacks became evident. Dridex operators employed DLL side-loading, a technique involving hijacking legitimate Windows executables, which necessitated multiple detection analytics for effective cybersecurity. The malware created randomly-named directories under random directory paths, copied legitimate Microsoft executables, and renamed the Dridex DLL.tmp files for the DLL side-loading. This method was not exclusive to Dridex but was also used by other state-sponsored actors and cybercrime industries, such as Lazarus Group and Tropic Trooper. Evil Corp faced significant setbacks following US sanctions in 2019, which exposed the inner workings of the group and its association with the FSB, Russia's security agency. The sanctions also revealed the identity of Yakubets and his familial connections within Evil Corp. Despite these disruptions, Dridex remained prevalent and was observed alongside other botnet families such as Emotet, IcedID, QakBot, and TrickBot, all of which had high C2 detections within the year. As of now, despite the challenges, Dridex continues to be a significant threat in the cybercrime landscape.
Description last updated: 2024-10-02T21:15:55.928Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Zeus is a possible alias for Dridex. Zeus is a notorious malware, short for malicious software, designed to exploit and damage computer systems. It is often spread through suspicious downloads, emails, or websites and can infiltrate systems without the user's knowledge. Once inside, it can steal personal information, disrupt operations
3
Gandcrab is a possible alias for Dridex. GandCrab, a threat actor, is known for its malicious activities involving ransomware attacks. Originating from Russian origins and evolving from Team Truniger, a former GandCrab affiliate, the group has been linked to numerous ransomware variants including Bad Rabbit, LockBit 2.0, STOP/DJVU, and REv
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Trojan
Ransomware
Cybercrime
Botnet
Spam
Loader
Lateral Move...
Fraud
Bot
Payload
Macos
Antivirus
Extortion
Exploit
Russia
Infostealer
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Emotet Malware is associated with Dridex. Emotet is a notorious malware, short for malicious software, that is designed to exploit and damage computers or devices. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user, with the potential to steal personal information, disrupt operations, Unspecified
6
The BitPaymer Malware is associated with Dridex. BitPaymer is a type of malware, specifically ransomware, that was operated by the cybercriminal group known as GOLD DRAKE. It is designed to infiltrate systems and encrypt data, holding it hostage until a ransom is paid. This malicious software became prominent in conjunction with the rise of RansomUnspecified
5
The IcedID Malware is associated with Dridex. IcedID is a malicious software (malware) that has been implicated in numerous cybercrime campaigns. It has been associated with other notable malware such as Qakbot, BazarLoader, CobaltStrike, Conti, Gozi, Trickbot, Quantum, Emotet, Pikabot, and SystemBC. Its distribution often involves the use of dUnspecified
4
The TrickBot Malware is associated with Dridex. TrickBot is a notorious malware developed by cybercriminals to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. This malicious software can steal personal information, disrupt operations, or even hold data hostage for ransom. Vladimir Dunaev,Unspecified
3
The Doppelpaymer Malware is associated with Dridex. DoppelPaymer is a type of malware, specifically ransomware, that was initially developed and operated by the GOLD DRAKE threat group under the name BitPaymer. The software was later reworked and renamed to DoppelPaymer by another threat group, GOLD HERON. This malicious software first appeared in miUnspecified
3
The QakBot Malware is associated with Dridex. Qakbot is a malicious software (malware) designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user, with the potential to steal personal information, disrupt operations, or hold data for ransom. Built by dUnspecified
3
The Ursnif Malware is associated with Dridex. Ursnif, also known as Gozi or ISFB, is a type of malware that has been distributed by threat actor group TA551. This harmful software can infiltrate systems via suspicious downloads, emails, or websites, and once inside, it can steal personal information, disrupt operations, or even hold data for raUnspecified
2
The Gozi Malware is associated with Dridex. Gozi is a notorious malware that has been linked to numerous cyber attacks. It's typically delivered through sophisticated malvertising techniques, often used in conjunction with other initial access malware such as Pikabot botnet agent and IcedID information stealer. When an individual accesses a cUnspecified
2
The Gameover Zeus Malware is associated with Dridex. GameOver Zeus is a variant of the ZeuS malware, used by malicious actors to steal banking credentials and distribute other types of malware, including ransomware such as Cryptolocker. It operated as a banking Trojan, infecting systems and stealing sensitive information. The botnet was closely associUnspecified
2
The Raccoon Malware is associated with Dridex. Raccoon is a malicious software (malware) developed by Russian-speaking coders, first spotted in April 2019. It was designed to steal sensitive data such as credit card information, email credentials, cryptocurrency wallets, and more from its victims. The malware is offered as a service (MaaS) for $Unspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Evil Corp Threat Actor is associated with Dridex. Evil Corp, a threat actor based in Russia, has been identified as a significant cybersecurity threat due to its involvement in various malicious activities, including the deployment of Dridex malware. The group is led by Maksim Yakubets and has been sanctioned by the Treasury Department for its cybeUnspecified
5
The TA505 Threat Actor is associated with Dridex. TA505, also known as Cl0p Ransomware Gang and Lace Tempest, is a highly active and sophisticated cybercriminal group. The group has been associated with various high-profile cyber-attacks, demonstrating adaptability through a multi-vector approach to their operations. In June 2023, the U.S. CybersecUnspecified
4
The Indrik Spider Threat Actor is associated with Dridex. Indrik Spider is a notable threat actor known for its cybercriminal activities, particularly in the realm of ransomware. In July 2017, the group entered the targeted ransomware sphere with BitPaymer, using file-sharing platforms to distribute the BitPaymer decryptor. This shift in operations saw IndUnspecified
2
The fin11 Threat Actor is associated with Dridex. FIN11, a threat actor group also known as Lace Tempest or TA505, has been linked to the development and deployment of Cl0p ransomware. This malicious software is believed to be a variant of another ransomware, CryptoMix, and is typically used by FIN11 to encrypt files on a victim's network after steUnspecified
2
Source Document References
Information about the Dridex Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
BankInfoSecurity
2 months ago
DARKReading
2 months ago
InfoSecurity-magazine
2 months ago
BankInfoSecurity
2 months ago
Checkpoint
2 months ago
Unit42
9 months ago
Checkpoint
9 months ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
MITRE
2 years ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago