Dridex

Malware Profile Updated a month ago
Download STIX
Preview STIX
Dridex is a well-known malware, specifically a banking Trojan, that has been utilized by cybercriminals to exploit and damage computer systems. The malware infiltrates systems through dubious downloads, emails, or websites, often unbeknownst to the user, and can steal personal information, disrupt operations, or hold data hostage for ransom. Threat actors have employed DLL side-loading techniques with Dridex, copying legitimate Microsoft executables and renaming the Dridex DLL.tmp files for this purpose. When executed, the Dridex loader uses AtomBombing to inject code into the process space used by explorer.exe, demonstrating its sophisticated attack methods. As the Ransomware as a Service (RaaS) model grew in popularity throughout 2020, the connection between first-stage malware and subsequent ransomware attacks became more apparent. Notably, the Dridex malware was linked to BitPaymer ransomware, illustrating how initial malware infections can pave the way for further malicious activities. In fact, Dridex was among the botnet families with the most command and control (C2) detections during the year, alongside Emotet, IcedID, QakBot, and TrickBot. The use of Dridex has been tracked to several notorious cybercrime groups, including UNC2165, also known as Evil Corp. This group began altering the ransomware it deployed after being sanctioned by the US in 2019 over its development and use of Dridex. Moreover, Dridex has been associated with other significant threats such as Log4Shell and Conti. Its delivery method, first observed in 2021, has been used to distribute a wide range of malware, notably the Dridex banking trojan. It's clear that Dridex continues to be a potent tool in the arsenal of cybercriminals.
What's your take? (Question 1 of 5)
f8df42d0-ab5b-497b-85f2-2987ffc5caeb Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Gandcrab
2
GandCrab, a threat actor, is known for its malicious activities involving ransomware attacks. Originating from Russian origins and evolving from Team Truniger, a former GandCrab affiliate, the group has been linked to numerous ransomware variants including Bad Rabbit, LockBit 2.0, STOP/DJVU, and REv
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Trojan
Ransomware
Botnet
Spam
Lateral Move...
Loader
Russia
Fraud
Cybercrime
Exploit
Bot
Payload
Macos
Antivirus
Extortion
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
EmotetUnspecified
6
Emotet is a notorious malware that has been active for over a decade, known for its ability to infiltrate and manipulate email accounts. It tricks individuals into downloading infected files or clicking on malicious links, thus spreading its influence. It was a major player in the malware delivery b
IcedIDUnspecified
4
IcedID, also known as BokBot, is a type of malware that was initially identified in 2017 as a banking trojan. Over time, it has evolved and is now used for various cybercrimes, including financial data theft. It is often associated with other malware types such as Qakbot, BazarLoader, CobaltStrike,
QakBotUnspecified
3
Qakbot, also known as QBot, is a versatile and malicious software that can perform various harmful actions such as brute-forcing, web injects, and loading other malware. It is used to steal credentials and gather sensitive information. The malware is built by different groups including IcedID, Emote
BitPaymerUnspecified
3
BitPaymer is a type of malware that operates as ransomware, encrypting files and demanding payment for their release. It was operated by the GOLD DRAKE threat group and was later reworked and renamed DoppelPaymer by the GOLD HERON threat group. As part of the Ransomware as a Service (RaaS) model tha
TrickBotUnspecified
3
TrickBot is a notorious malware that has gained prominence due to its destructive capabilities. This malicious software, designed to exploit and damage computer systems, infiltrates devices through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, TrickBot c
DoppelpaymerUnspecified
3
DoppelPaymer is a form of malware, specifically ransomware, known for its high-profile attacks on large organizations and municipalities. Originally based on the BitPaymer ransomware, DoppelPaymer was reworked and renamed by the threat group GOLD HERON, after initially being operated by GOLD DRAKE.
Gameover ZeusUnspecified
2
Gameover ZeuS, also known as P2P ZeuS, is a notorious piece of malware designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even
ZeusUnspecified
2
Zeus is a Trojan Horse malware, infamous for its ability to exploit and damage computer systems. It was created by Evgeniy Bogachev and gained notoriety for its ability to infiltrate systems via suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, Zeus can steal per
RaccoonUnspecified
2
Raccoon is a type of malware utilized by the Scattered Spider threat actors to obtain sensitive information such as login credentials, browser cookies, and browser histories. The Raccoon Stealer is particularly notorious for its ability to detect countermeasures and delete records associated with th
UrsnifUnspecified
2
Ursnif, also known as Gozi or ISFB, is a type of malware that is primarily used for information stealing. It is typically distributed through suspicious downloads, emails, or websites and can infect systems often without the user's knowledge. Once inside, it can steal personal information, disrupt o
GoziUnspecified
2
Gozi is a notorious malware that has been linked to numerous cyber attacks. It's typically delivered through sophisticated malvertising techniques, often used in conjunction with other initial access malware such as Pikabot botnet agent and IcedID information stealer. When an individual accesses a c
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
TA505Unspecified
4
TA505, also known as Cl0p Ransomware Gang and Lace Tempest, is a highly active and sophisticated cybercriminal group. The group has been associated with various high-profile cyber-attacks, demonstrating adaptability through a multi-vector approach to their operations. In June 2023, the U.S. Cybersec
fin11Unspecified
2
FIN11, a threat actor group also known as Lace Tempest or TA505, has been linked to the development and deployment of Cl0p ransomware. This malicious software is believed to be a variant of another ransomware, CryptoMix, and is typically used by FIN11 to encrypt files on a victim's network after ste
Evil CorpUnspecified
2
Evil Corp, a threat actor group based in Russia, has been identified as a significant cybercrime entity responsible for the execution of malicious actions. The alleged leader of this group is Maksim Yakubets, who is notably associated with Dridex malware operations. The U.S. Treasury imposed sanctio
Indrik SpiderUnspecified
2
Indrik Spider is a notable threat actor known for its cybercriminal activities, particularly in the realm of ransomware. In July 2017, the group entered the targeted ransomware sphere with BitPaymer, using file-sharing platforms to distribute the BitPaymer decryptor. This shift in operations saw Ind
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Dridex Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Stopping Serial Killer: Catching the Next Strike - Check Point Research
GovCERT CH
a year ago
The Rise of Dridex and the Role of ESPs
MITRE
a year ago
Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware
MITRE
a year ago
Dridex (Bugat v5) Botnet Takeover Operation
MITRE
a year ago
Treasury Sanctions Evil Corp, the Russia-Based Cybercriminal Group Behind Dridex Malware
Recorded Future
a year ago
2022 Adversary Infrastructure Report
MITRE
a year ago
TA505 shifts with the times | Proofpoint US
CERT-EU
a year ago
Emotet Rises Again: Evades Macro Security via OneNote Attachments
Unit42
3 months ago
Intruders in the Library: Exploring DLL Hijacking
MITRE
a year ago
WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group
MITRE
a year ago
New Banking Trojan IcedID Discovered by IBM X-Force Research
CERT Polska
a year ago
Talking to Dridex (part 0) – inside the dropper
MITRE
a year ago
INDRIK SPIDER: WastedLocker Superseded by Hades Ransomware
MITRE
a year ago
Threat Assessment: Clop Ransomware
MITRE
a year ago
Dridex: A History of Evolution
CERT-EU
a year ago
Analysis of Ransomware Attack Timelines | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware – National Cyber Security Consulting
ESET
a year ago
Cracked it! Highlights from KringleCon 5: Golden Rings | WeLiveSecurity
Secureworks
a year ago
Phases of a Post-Intrusion Ransomware Attack
Malwarebytes
a year ago
DoppelPaymer ransomware group disrupted
Securityaffairs
a year ago
New Lobshot hVNC malware spreads via Google ads