Dridex is a form of malware that targets its victim's banking information. Malware, or malicious software, is a type of software intended to cause harm to a user. Specifically, Dridex malware is classified as a Trojan, which hides malicious coding within seemingly harmless data. The main goal of Dridex malware is to steal sensitive details from its victim's bank accounts, for example, their online banking credentials and financial access.
This malware will target Windows users by delivering spam email campaigns to fool individuals into opening an email attachment for a Word or Excel file. Hidden within these files is the Dridex malware, which will then infect computers in order to steal personal information, mainly banking credentials.
Financial institutions and customers within financial services may be targeted, mostly from English-speaking countries. In 2020, Dridex became more relevant, impacting 3%-4% of organizations worldwide.
This banking Trojan is a type of malware that should be watched out for since it opens individuals up to possible banking theft. The malware has also been updated meticulously over the past 10 years, meaning that it's likely developed and updated by a group of people. EvilCorp is the group that is allegedly responsible for Dridex.
How does Dridex work?
Cybercriminals will spread Dridex through spam emails. The emails are presented as official and will prompt the victim to open an attached Microsoft Word or Excel file. A macro embedded within the file will trigger when the file is opened and start a download of Dridex. From there, the malware will begin stealing banking credentials and conduct fraudulent financial transactions.
To steal information, the malware will inject a keylogger, which will monitor and record each keystroke typed on a computer's keyboard. This will enable the attackers to steal login and password information, including online banking credentials.
Dridex has a range of other capabilities as well. Injection attacks can also be enabled, which allows the downloading of more malware in order to execute remote commands or inject code into a specific program.
Dridex is hard to detect, as it generally can bypass antivirus detections.
How do you detect a Dridex malware infection?
Signature-based threat detection software may not be able to detect Dridex. The threat is constantly evolving, using previously unknown signatures, which makes it difficult to detect.
In order to possibly detect Dridex, individuals can use tools that do not primarily work on signature-based threat detection. For example, some tools may use machine learning, which can model network traffic so it can understand patterns of normal activity of users. Unusual traffic can then be flagged and looked at more closely. Some malware detection software may also work if it identifies uncommon behavior or .exe files. As such, some antimalware tools will work in detecting Dridex.
How do you protect against Dridex?
Luckily, it's easier to protect against Dridex than to detect it. Some defensive options include:
- Be careful when opening email attachments from unknown senders.
- Leave files sent from unknown and suspicious email addresses unopened.
- Download files only from trusted sources.
- Keep applications and browsers up to date.
- Use a malware detection software that uses other methods aside from signature-based threat detection.
- Educate other individuals or employees on how to identify malicious spam.
How can Dridex malware be removed?
Manual removal of Dridex is possible, but it is generally recommended to let antimalware programs that can detect and remove Dridex go through the process. Software programs like Malwarebytes' Trojan.Dridex can be used to detect and remove Dridex. Once a threat is found, the software will quarantine in order to remove the malware. Antimalware programs may then ask the user to reboot the system once the process is completed. Once detected and removed, it is recommended that individuals change their banking account passwords.
History and evolution of Dridex malware
Dridex first made its appearance around 2011-2012. Initially, it was capable of receiving dynamic configuration files and using web injections in order to steal money. At this time, the malware was under the name Cridex -- Cridex malware itself was based off of the Zeus Trojan horse malware. Since then, what would eventually become the Dridex malware has been continually been changing and evolving. It's been able to avoid detection by hiding its main servers behind proxy layers. As new versions appear, old ones stop working, hinting that it is one group of people who are behind this attack.
A significant variant of Cridex was released in 2012. Notably, this version infected USB media and replaced the binary format of the configuration file and packets with XML. After the 0.8 variant, Cridex remained largely unchanged until version 3.4.
In 2014, the banking malware spread in a spam campaign that spread up to 15,000 emails a day. The attacks focused on systems located in the United Kingdom. One year later, the U.K. was at an estimated £20 million of theft, and $10 million in the United States due to the malware.
On August 28, 2015, one of the administrators of the Dridex network was arrested. After this, in September, three of Dridex's networks went down. Later in October, however, the same networks came back online with six additional networks added. By 2016, the loader used became more complicated, and methods of encryption changed.
The fourth version was first detected in 2017. The big change to this version was that the XML format used was switched back to binary. The packet structure was similar to the ones used in the third version.
From its creation to now, Dridex has had many iterations that added features such as P2P encryption and hashing algorithms.
In December of 2019, however, the FBI had charged two suspects who they believed created the Dridex Trojan. Two Russian nationals, Maksim V. Yakubets and Igor Turashev, were suspected for its creation. Both were later indicted on conspiracy to commit bank fraud, among a host of other charges. Additionally, Yakubets was charged with another charge of conspiracy to commit bank fraud, issued by a different U.S. state for involvement in the malware variant Zeus.