OxCERT blog describes Dridex as 'an evasive, information-stealing malware variant; its goal is to acquire as many credentials as possible and return them via an encrypted tunnel to a Command-and-Control (C&C) server. These C&C servers are numerous and scattered all over the Internet, if the malware cannot reach one server it will try another. For this reason, network-based measures such as blocking the C&C IPs is effective only in the short-term.' According to MalwareBytes, 'Dridex uses an older tactic of infection by attaching a Word document that utilizes macros to install malware. However, once new versions of Microsoft Office came out and users generally updated, such a threat subsided because it was no longer simple to infect a user with this method.' IBM X-Force discovered 'a new version of the Dridex banking Trojan that takes advantage of a code injection technique called AtomBombing to infect systems. AtomBombing is a technique for injecting malicious code into the 'atom tables' that almost all versions of Windows uses to store certain application data. It is a variation of typical code injection attacks that take advantage of input validation errors to insert and to execute malicious code in a legitimate process or application. Dridex v4 is the first malware that uses the AtomBombing process to try and infect systems.'
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
| IP:Port | Timestamp |
|---|---|
| 159.255.219.176:443 | 2023-10-12 |
| 74.217.214.92:443 | 2023-09-24 |
| 3.6.11.148:443 | 2023-05-07 |
| 104.168.155.129:443 | 2023-05-31 |
| 85.214.226.208:443 | 2023-03-06 |
| 52.222.136.174:443 | 2023-02-09 |
| 103.233.103.85:443 | 2023-11-17 |
| 13.225.87.14:443 | 2022-10-31 |
| 52.222.136.27:443 | 2023-04-15 |
| 51.83.47.27:443 | 2022-09-07 |
| Domain | Timestamp |
|---|---|
| updateviacloud.xyz | 2021-08-23 |
| easipeasytech.xyz | 2021-08-23 |
| coldchallenge.xyz | 2021-08-23 |
| azuredocs.one | 2021-07-28 |
| documentupdates.com | 2021-07-28 |
| mydocumentscloud.xyz | 2021-07-28 |
| mydocumentscloud.com | 2021-07-28 |
| fastdocusign.org | 2021-07-28 |
| fastdocusign.one | 2021-07-28 |
| docusignupdates.com | 2021-07-28 |
| URL | Timestamp |
|---|---|
| http://www.smartcae.com/upload/Struttura.zip | 2021-12-21 |
| https://5dw.in/sys/tc/df/6g1zwqsr.zip | 2021-12-21 |
| https://conterfietbusiness.com/sys/sz/h8/xdvwvyny.zip | 2021-12-21 |
| http://thebrainzee.com/sys/iml/9vd/gmu/zewhtnf.zip | 2021-12-21 |
| http://thebrainzee.com/sys/JD7/nI7/zXj/bCXmhCW.zip | 2021-12-21 |
| http://thebrainzee.com/sys/nyyvuqewev.zip | 2021-12-21 |
| http://thebrainzee.com/sys/O63GheTZLR.zip | 2021-12-21 |
| http://thebrainzee.com/sys/pD/Ui/lCNnF8KL.zip | 2021-12-21 |
| http://thebrainzee.com/sys/PQ5xemmvoA.zip | 2021-12-21 |
| http://thebrainzee.com/sys/Rmryk1MUhJ.zip | 2021-12-21 |
2023-02-27 by PRODAFT from PRODAFT Threat Intelligence
2022-10-31 by Or Chechik from paloalto Netoworks: Unit42
2022-10-13 by Spamhaus Malware Labs from Spamhaus
2022-09-01 by Kevin Henson from IBM
2022-08-24 by Rad Kawar from Github (rad9800)
2022-07-09 by Artik Blue from Artik Blue
2022-06-13 by Jorge Testa from Jorge Testa
2022-06-02 by Mandiant Intelligence from Mandiant
2022-05-24 by Bar Block from Deep instinct
2022-05-19 by Saqib Khanzada from Palo Alto Networks Unit 42
2022-05-10 by RiskIQ from RiskIQ
2022-04-27 by ANSSI from ANSSI
2022-03-13 by malcat team from Malcat
2022-03 by VirusTotal from VirusTotal
2022-02-23 by Antonio Pirozzi from Sentinel LABS
2022-02-23 by Andrew Brandt from SophosLabs Uncut
2022-02-08 by Intel 471 from Intel 471
2022-02 by Antonio Pirozzi from Sentinel LABS
2022-01-18 by Insikt Group® from Recorded Future
2022-01-14 by Jordan Herman from RiskIQ
2022-01-11 by Muhammad Hasan Ali from muha2xmad
2022-01-09 by z3r0day_504 from Atomic Matryoshka
2021-12-23 by Siddhesh Chandrayan from Symantec
2021-12-20 by Nick Chalard from InQuest
2021-11-21 by Nidal Fikri from Cyber-Anubis
2021-11-16 by Luigi Martire from Yoroi
2021-11-12 by Insikt Group® from Recorded Future
2021-09-15 by Anna Chung from Palo Alto Networks Unit 42
2021-09-03 by Mohamad Mokbel from Trend Micro
2021-08-19 by BlackBerry Research & Intelligence Team from Blackberry
2021-07-30 by Patrick Schläpfer from HP
2021-07-02 by muzi from MalwareBookReports
2021-06-22 by Cryptolaemus from Twitter (@Cryptolaemus1)
2021-06-08 by Intel 471 from Intel 471
2021-06-03 by Felipe Domingues from YouTube (FIRST)
2021-05-26 by Ron Ben Yizhak from DeepInstinct
2021-04-21 by Sean Gallagher from SophosLabs Uncut
2021-04-15 by Selena Larson from Proofpoint
2021-04-15 by Felix from Twitter (@felixw3000)
2021-04-12 by PTSecurity from PTSecurity
2021-04-06 by Lexfo from Lexfo
2021-03-31 by Red Canary from Red Canary
2021-03-29 by Jason Zhang from VMWare Carbon Black
2021-03-18 by PRODAFT from PRODAFT Threat Intelligence
2021-03-17 by HP Bromium from HP
2021-03-11 by Dave McMillen from IBM
2021-03 by Oleg Skulkin from Group-IB
2021-02-23 by CrowdStrike from CrowdStrike
2021-02-15 by Sojun Ryu from Medium s2wlab
2021-02-07 by Ali Aqeel from Technical Blog of Ali Aqeel
2021-02-02 by Germán Fernández from CRONUP
2021-02-02 by The DFIR Report from Twitter (@TheDFIRReport)
2021-02-01 by Microsoft 365 Defender Threat Intelligence Team from Microsoft
2021-01-19 by Patrick Schläpfer from HP
2021-01-09 by Marco Ramilli from Marco Ramilli's Blog
2021-01-04 by Check Point Research from Check Point
2021 by SecureWorks from Secureworks
2021 by SecureWorks from
2020-12-10 by US-CERT from US-CERT
2020-11-20 by Catalin Cimpanu from ZDNet
2020-11-18 by Sophos from Sophos
2020-10-29 by CERT-FR from CERT-FR
2020-10-15 by Department of Justice from Department of Justice
2020-10-03 by Wikpedia from Wikipedia
2020-09-29 by Andy Auld from PWC UK
2020-09-18 by Gustavo Palazolo from AppGate
2020-09-10 by Brad Duncan from SANS ISC InfoSec Forums
2020-09-07 by Brad Duncan from Github (pan-unit42)
2020-08-21 by Brad Duncan from Palo Alto Networks Unit 42
2020-08-20 by CERT-FR from CERT-FR
2020-08-09 by Remi Cohen from F5 Labs
2020-08-03 by The DFIR Report from
2020-07-17 by CERT-FR from CERT-FR
2020-06-24 by Arnold Osipov from Morphisec
2020-06-22 by CERT-FR from CERT-FR
2020-06-19 by Reaqta from Reaqta
2020-06-05 by Votiro’s Research Team from Votiro
2020-05-31 by Jason Reaves from Medium walmartglobaltech
2020-05-27 by GAIS-CERT from GAIS-CERT
2020-05-25 by CERT-FR from CERT-FR
2020-05-25 by CERT-FR from CERT-FR
2020-05-21 by Intel 471 from Intel 471
2020-03-30 by Michael Kajiloti from Intezer
2020-03-05 by Microsoft Threat Protection Intelligence Team from Microsoft
2020-03-04 by CrowdStrike from CrowdStrike
2020-03-03 by PWC UK from PWC UK
2020-02-18 by Luca Nagy from Sophos Labs
2020-01-31 by Michal Poslušný from Virus Bulletin
2020 by SecureWorks from Secureworks
2020 by SecureWorks from Secureworks
2019-12-19 by Brian Krebs from KrebsOnSecurity
2019-12-05 by U.S. Department of the Treasury from U.S. Department of the Treasury
2019-09-09 by Thomas Roccia from McAfee
2019-08-13 by David Korczynski from Adalogics
2019-07-12 by Brett Stone-Gross from CrowdStrike
2019-05-14 by GovCERT.ch from GovCERT.ch
2018-12-18 by Trendmicro from Trend Micro
2018-01-26 by Michal Poslušný from ESET Research
2018-01-12 by Proofpoint Staff from Proofpoint
2017-08-01 by Panda Security from Panda Security
2017-07-25 by Johannes Bader from Github (viql)
2017-07-18 by Ashkan Hosseini from Elastic
2017-05-25 by Nikita Slepogin from Kaspersky Labs
2017-05-15 by Counter Threat Unit ResearchTeam from Secureworks
2017-02-28 by Magal Baz from Security Intelligence
2017-01-26 by Flashpoint from Flashpoint
2016-02-16 by Dick O'Brien from Symantec
2015-11-10 by CERT.PL from CERT.PL
2015-10-26 by Blueliv from Blueliv
2015-10-15 by AnubisLabs from BitSight
2015-10-13 by Brett Stone-Gross from Secureworks
Tool: Dridex
Names: Dridex, Bugat v5
Description: OxCERT blog describes Dridex as 'an evasive, information-stealing malware variant; its goal is to acquire as many credentials as possible and return them via an encrypted tunnel to a Command-and-Control (C&C) server. These C&C servers are numerous and scattered all over the Internet, if the malware cannot reach one server it will try another. For this reason, network-based measures such as blocking the C&C IPs is effective only in the short-term.' According to MalwareBytes, 'Dridex uses an older tactic of infection by attaching a Word document that utilizes macros to install malware. However, once new versions of Microsoft Office came out and users generally updated, such a threat subsided because it was no longer simple to infect a user with this method.' IBM X-Force discovered 'a new version of the Dridex banking Trojan that takes advantage of a code injection technique called AtomBombing to infect systems. AtomBombing is a technique for injecting malicious code into the 'atom tables' that almost all versions of Windows uses to store certain application data. It is a variation of typical code injection attacks that take advantage of input validation errors to insert and to execute malicious code in a legitimate process or application. Dridex v4 is the first malware that uses the AtomBombing process to try and infect systems.'
Category: Malware
Type: Banking trojan, Credential stealer, Worm
Information: https://www.us-cert.gov/ncas/alerts/aa19-339a
Information: https://securelist.com/analysis/publications/78531/dridex-a-history-of-evolution/
Information: https://blogs.it.ox.ac.uk/oxcert/2015/11/09/major-dridex-banking-malware-outbreak/
Information: https://securityintelligence.com/dridexs-cold-war-enter-atombombing/
Information: https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf
Information: https://www.govcert.admin.ch/blog/28/the-rise-of-dridex-and-the-role-of-esps
Information: https://www.cert.pl/en/news/single/talking-dridex-part-0-inside-the-dropper/
Information: https://viql.github.io/dridex/
Information: https://www.flashpoint-intel.com/blog-dridex-banking-trojan-returns/
Information: https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/
Information: https://securityintelligence.com/posts/dridex-campaign-propelled-by-cutwail-botnet-and-powershell/
Information: https://www.fortinet.com/blog/threat-research/new-dridex-variant-being-spread-by-crafted-excel-document
Information: https://www.bleepingcomputer.com/news/security/log4j-vulnerability-now-used-to-install-dridex-banking-malware/
Information: https://news.sophos.com/en-us/2022/02/23/dridex-bots-deliver-entropy-ransomware-in-recent-attacks/
Information: https://unit42.paloaltonetworks.com/excel-add-ins-dridex-infection-chain/
Information: https://www.trendmicro.com/en_us/research/23/a/-dridex-targets-macos-using-new-entry-method.html
Mitre-attack: https://attack.mitre.org/software/S0384/
Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.dridex
Last-card-change: 2023-02-15
Source: https://apt.etda.or.th/cgi-bin/listtools.cgi
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
T1106 NATIVE API dridex has used the outputdebugstringw function to avoid malware analysis as part of its anti-debugging technique. T1204.002 USER EXECUTION : MALICIOUS FILE dridex has relied upon users clicking on a malicious attachment delivered through spearphishing. | T1082 SYSTEM INFORMATION DISCOVERY dridex has collected the computer name and os architecture information from the system. | T1185 BROWSER SESSION HIJACKING dridex can perform browser attacks via web injects to steal information such as credentials, certificates, and cookies. | T1071.001 APPLICATION LAYER PROTOCOL : WEB PROTOCOLS dridex has used post requests and https for c2 communications. T1090 PROXY dridex contains a backconnect module for tunneling network traffic through a victim's computer. infected computers become part of a p2p botnet that can relay c2 traffic to other infected peers. T1090.003 PROXY : MULTI-HOP PROXY dridex can use multiple layers of proxy servers to hide terminal nodes in its infrastructure. |