Dridex's Year Activity
Originally appearing back in 2014 as an evolution of the old Bugat banking trojan, Dridex is a stealer which has seen extensive use and development over the years and continues to be a major threat in 2021.
The malware is modular with basic infections involving the loader and core components. The core consists of a keylogger and stealer, to harvest local credentials stored by applications like web browsers and email clients. It is also capable of performing web injections to intercept credentials. Additional modules can be added as required to perform other functions such as VNC for remote access or SOCKS to proxy C2 traffic.<1>
Modern versions of the family include multiple techniques for process injection to install web hooks, including being among the first to implement the new AtomBombing method.
Triage features a configuration extractor which processes the sample during static analysis to dump relevant C2 information. It also includes the botnet ID to help with tracking campaigns - this can be used in search queries to find related samples using the
C2 Network Request
In most cases the Dridex DLL can be seen contacting one or more of the IP addresses configured for C2 usage.
Dridex carries out basic system enumeration on launch - some common actions are shown below.
The samples generally check what software is installed by reading uninstall keys stored in the registry.
The family also checks whether or not UAC is enabled with a simple registry check:
CERT-FR's report on the history and development of the Dridex family.
Details of TTPs associated with the family's activity.