Dridex Malware

A malware that utilizes Microsoft Office macros is called Dridex malware. Its primary objective is to hack a target’s banking information, like their login information or online banking credentials.

Attackers may use it for user credentials or banking theft. Dridex malware often takes the form of spam emails with malicious attachments like a Microsoft Word document. Dridex virus emerged from a preceding malware named Zeus Trojan Horse, according to cybersecurity specialists. When downloaded or integrated, typically without the end user’s permission, it enters the computer as a secure product or application but causes issues.

Zeus Trojan Horse malware transformed into Cridex malware, a banking trojan with backdoor entry points that self-replicate and allows access to other malware programs. Dridex trojan is an example of malware distributed through spam email campaigns.

Potential targets within the financial services industry include banking institutions, clients, and users, primarily from English-speaking countries. Dridex gained increasing significance in 2020, affecting 26% of global organizations.

Entities must prevent this banking malware since it exposes users to the risk of financial fraud. The trojan has also been systematically modified over the last ten years, indicating that it was probably created and modified by a team. Dridex is thought to have been created by the EvilCorp group.

Nonetheless, the FBI prosecuted two suspects, Igor Turashev and Maksim V. Yakubets, in December 2019 for creating the Dridex malicious programs.

Evolution Of Dridex Malware

The Dridex malware originally functioned as a banking trojan. Threat actors use it to steal sensitive information from an infected system, such as banking credentials or login information for online banking services.

While most of these assaults are directed at financial institutions, which remains a key component of its operation, the Dridex malware has recently added new features.

Similar to QBot and TrickBot, Dridex possesses botnet and info-stealing features. The malware seems to be waning compared to these rivals, but it is still actively being developed.

A recent phishing operation that distributed infected Excel files chose a new version of the virus that was identified in September 2021. This variation extended the malware’s information-stealing potential. Additionally, the Dridex attack used the Log4j vulnerability in December 2021.

How Dridex Malware Works

Dridex employs process injection and hooking after it has been deployed on infected machines to steal sensitive information from keystroke data or screenshots. Additionally, it has the ability to:

  • Download and run other malware.
  • Steal information from websites.
  • Allow code injection into a particular software.
  • Provide remote access to the hacker.

This malware commonly employs web injection modules to perform man-in-the-browser assaults and let threat actors collect information (credentials, etc.) from social media, email accounts, and banking accounts.

Then, according to the model, the malware will bundle and encode the hijacked banking credentials in malicious documents before sending them across P2P networks in binary format or XML format.

There are several ways to spread Dridex malware. Phishing emails, and second-stage infection by malware from other malware families like Emotet, exploit kits, etc., are a few frequent instances.

Dridex Identification

Software for threat identification that relies on signatures might be unable to detect Dridex. It is challenging to detect the threats since its signatures, which are continually changing, were previously unheard of.

People can utilize technologies that don’t focus on signature-based threat identification for potential Dridex recognition. For instance, certain technologies may use machine learning to analyze traffic to comprehend user behavioral patterns. Then, unusual network traffic can be noted and examined further.

It might also be effective if a malware-analyzing program encounters unusual behavior or.exe files. Hence, Dridex detection is possible via certain antimalware programs.

Dridex Malware Removal

Dridex malware is highly complex malware. It is developed to avoid identification. Hence, Dridex detection is highly challenging, as well as its eradication. A system that has once been compromised may become infected again if the malware is not eliminated.

Because of this reason, utilizing an endpoint security solution is the most effective technique to eradicate Dridex attacks. Such security technologies guarantee that Dridex malware is removed from the infected machines.

How Can Organizations Protect Against Dridex Malware

Dridex, disseminated in various methods, incorporates the features of an info stealer, banking trojan, and botnet infection. Among the ways an organization can protect against Dridex malware and control its effects:

Least Privilege Access

Following an effective Dridex assault, the threat actors will have access to more than one business account. The consequence of these hacked accounts is reduced if an enterprise has established the least privileged access and adhered to zero trust principles.

Anti-Phishing Defense

Phishing attacks using malicious attachments are the main method used to spread Dridex. Anti-phishing techniques that can analyze and detect the malware in a sandboxed environment before it enters staff’s email accounts are necessary to stop the malware from entering the company network.

Security Awareness Training For Staff members

Phishing operations, such as those employed to distribute Dridex, deceive the victim into running the virus. A phishing spam campaign represents less of a threat to organizational cybersecurity when staff is trained to spot them and act accordingly.

Account Activity Monitoring

Hackers who can access a company’s accounts will exploit that privilege to achieve their objectives further. A corporation might detect Dridex assaults by identifying anomalous behavior that can indicate a hacked account by tracking the activity of business accounts.

Multi-factor Authentication (MFA)

Dridex malware is created to hack workers’ accounts by obtaining their account information from an infected system. Making multi-factor authentication (MFA) mandatory across the organization makes it more challenging for hackers to use the details that the malware has confiscated.

Content Disarm And Reconstruction (CDR)

Dridex is frequently implanted using Microsoft Office macros in malicious documents, which is why content disarm and reconstruction (CDR) is necessary. Before sending the sanitized piece of content to the end user, CDR makes it possible to remove any malicious attachment within it.

Endpoint Detection And Response (EDR)

Once Dridex has been installed on a computer, it employs several methods to collect confidential data and carry out other destructive actions. Such behaviors can be recognized by EDR software, which can then initiate the infection-remediation procedure.

Updating And Vulnerability Management 

Dridex exploits unencrypted security flaws like Log4j, apart from phishing scams. Regularly applying patches and software updates can aid in preventing Dridex attacks and exploitation of susceptible platforms.

Preventing Dridex is simpler than detecting it. Several other strategies encompass:

  • Exercising caution while accessing email attachments from unknown senders.
  • Only downloading data from credible sources.
  • Not viewing any files received from unverified or dubious emails to protect against malicious attachments.
  • Updating browsers and programs.
  • Teaching users or staff members how to spot a dangerous email attachment.
  • Employ a malware detection program that leverages additional techniques apart from signature-based threat detection.

Hence, organizations must protect their data against Dridex malware by following the above best security practices.

Considering advanced and emerging threats, CISA motivates corporations and individuals to:

  • Notify any behavior regarding the Dridex or its new versions to enforcement agencies right away.
  • Ensure the existence of Cyber Event Indicators in the malware assessment report. Anomalous email addresses, hashes, IP addresses, domain names, and file names are a few indicators requiring submission within Item 44 of the Suspicious Activity Report (SAR) document.
  • Utilize malware identification systems and security alert systems to actively suppress or address potential security breaches by integrating the evidence of intrusion that has been found.


While Dridex continues to affect many nations, the largest attack rates occurred between 2015-2016. Most Dridex hacking assaults seem to target English-speaking nations. According to reports from the cybersecurity sector, cybercriminals, also known as TA505 or Evil Corp, are responsible for the Dridex campaigns and other significant malware spam attacks. Cybercriminals use large-scale malicious programs to spread the malware, mailing millions of emails daily; however, the number of emails fluctuates.

Any data breach through this trojan will result in compromised sensitive banking credentials leaving organizations and individuals vulnerable to financial loss. Hence, due to emerging threats, preventive measures must be taken to protect against Dridex and other malware. Also, the security breach through this malware must be assessed and reported.

Derik Belair

As President and CEO, Derik leads the vision, strategy and growth of Augmentt. Prior to founding Augmentt, Derik was the Vice President at SolarWinds, leading the digital marketing strategy for SolarWinds’ Cloud division. Derik has been working in the channel for over 20 years, starting his career as a channel sales rep at Corel Corp. and eventually becoming the first employee at N-able Technologies in April of 2000.
SUBSCRIBE for more resources
Related Content

Agent-based SaaS Discovery

    When it comes to Augmentt Discover, we believe in flexibility and power. Augmentt Discover can collect SaaS usage data using both an Agent and Agentless model. Here is a quick [...]

    Product Evaluation Guide

      Thank you for starting your Augmentt Product Evaluation and Trial   Here are a few resources that will help you through this technical process. Support Technical Support is available to [...]
      Augmentt is a centralized SaaS security platform built for MSPs to deliver scalable managed security services for Microsoft and cloud apps. Our multi-tenant platform gives you visibility across all your end-users to easily audit, protect and detect security threats for a holistic approach to cyber security.