Originally known as Cridex when it first appeared in 2012, Dridex has evolved and is considered one of the most active trojans today. In 2015, it accounted for almost half of all financial trojan infections, according to Symantec. The actors operating the Dridex botnet have continually refined the malware, which is reportedly capable of harvesting customer banking credentials of approximately 300 banks and other financial institutions in over 40 countries. Dridex targets are largely US and Europe-based. While also spread through compromised websites and peer-to-peer (P2P) networks, Dridex is typically spread through spam email campaigns with attached Microsoft Word documents containing malicious macros. If the macro is allowed to run, a malicious .vbs file—detected as VBS.Downloader.Trojan—is executed and the file will download and install Dridex on the victim's computer.  

According to Symantec's research, 74 percent of Dridex spam campaigns used real company names in the sender address and in the email text. The attackers also use a top level domain in the sender address that matches the region of origin. The majority of the spam campaigns were disguised as financial emails such as invoices; however, more recent email campaigns target users with messages indicating their account was compromised and requires a password reset. The threat actors behind Dridex typically adhere to typical work weeks of the target company’s location, even taking time off during holidays to seem more authentic.

In February 2017, IBM’s X-Force researchers discovered a version 4 of the Dridex trojan. The updated code features a new injection method based on the “AtomBombing” technique, used to bypass current security solutions. Dridex is the first banking trojan known to use AtomBombing; however, this will likely result in other developers implementing the same method. Additionally, the trojan’s configuration encryption received an upgrade and now includes a modified naming algorithm and a robust persistence mechanism. At the time of reporting, IBM has detected Dridex v4 in active campaigns, mainly targeting UK banks.  

Reporting

• October 2015: The US Department of Homeland Security and FBI released an alert (TA15-286A) on Dridex, describing it as a peer-to-peer (P2P) bank credential-stealing malware, which uses a decentralized network infrastructure of compromised personal computers and web servers to execute command-and-control (C2). 
• February 2016: "Dridex: Tidal waves of spam pushing dangerous financial Trojan." (Symantec)
• April 2016: Dridex was discovered delivering the Cerber ransomware to victims. (FireEye)
• May 2016: The widely distributed Angler exploit kit was seen delivering Dridex to victims after exploiting an Adobe Flash Player vulnerability. (ThreatPost)
• May 2016: TrendMicro detailed a new spam campaign distributing Dridex through emails claiming a user’s bank was compromised, then prompting them to open a .ZIP attachment containing a Personal Information Exchange (.PFX) file. The .PFX file is then decoded using Certutil, which opens the Dridex executable (.EXE) and infects the machine. Nearly 60 percent of the spam emails were received by US users. (TrendMicro)
• August 2016: After a quiet ‘16 summer, a recent shift in Dridex activity suggests that it is being delivered in smaller, more targeted attacks. (Proofpoint)
• January 2017: After a 6-month hiatus, Dridex is active again, targeting large financial institutions in the United Kingdom using a Windows User Account Control (UAC) bypass technique. (Flashpoint)
• February 2017: Newly detected Dridex version 4 is using a new injection method based on the “AtomBombing” technique, used to bypass current security solutions. It is currently used in campaigns against UK banks. (IBM)
• April 2017: Operators of the Dridex botnet are using a Microsoft zero-day vulnerability to spread the Dridex trojan via spam campaigns delivering malicious Word documents to exploit this zero-day. The campaign is mainly targeting Australia-based users. (Proofpoint)

Technical Details

• TrendMicro provides technical details and indicators of compromise on recent Dridex activity, available here.