Triage: Knowledge Base

Dridex's Year Activity

-

-

Dridex in Triage

Description

Originally appearing back in 2014 as an evolution of the old Bugat banking trojan, Dridex is a stealer which has seen extensive use and development over the years and continues to be a major threat in 2021.

The malware is modular with basic infections involving the loader and core components. The core consists of a keylogger and stealer, to harvest local credentials stored by applications like web browsers and email clients. It is also capable of performing web injections to intercept credentials. Additional modules can be added as required to perform other functions such as VNC for remote access or SOCKS to proxy C2 traffic.<1>

Modern versions of the family include multiple techniques for process injection to install web hooks, including being among the first to implement the new AtomBombing method.

Configuration Extraction

Triage features a configuration extractor which processes the sample during static analysis to dump relevant C2 information. It also includes the botnet ID to help with tracking campaigns - this can be used in search queries to find related samples using the botnet: keyword

Example Dridex Configuration

Common Behaviour

C2 Network Request

In most cases the Dridex DLL can be seen contacting one or more of the IP addresses configured for C2 usage.

Enumerates System

Dridex carries out basic system enumeration on launch - some common actions are shown below.

The samples generally check what software is installed by reading uninstall keys stored in the registry.

The family also checks whether or not UAC is enabled with a simple registry check:

External References

1 The Malware Dridex: Origins and Uses

CERT-FR's report on the history and development of the Dridex family.

2 Mitre ATT&CK: Dridex

Details of TTPs associated with the family's activity.

Tactics, Techniques, and Procedures

Command and Control: Standard Application Layer Protocol

Collection: Man in the Browser

Command and Control: Connection Proxy

Command and Control: Remote Access Tools

Contents