The Emergence of Dridex

The Emergence of Dridex

 

Dridex first appeared in 2011 and has been evolving into a greater threat since. The prolific banking trojan has raked in millions of dollars and continues to adapt and attack in the changing landscape. When first released Dridex, targeted financial/banking institutions based in Europe. However, now the malware targets any small to medium-sized organization. Dridex is quite complex because it is constantly evolving and coming up with ways to evade detection. As new versions are released, older versions quickly become obsolete.

The Evolution

Dridex was first released as a banking Trojan designed to steal banking and personal credentials. The first version was derived from, Cridex, a trojan released around September 2011 which appeared as an independent malicious program. Cridex was complex even in at the beginning, affecting primarily Windows systems. Known as W32.Cridex the worm used web injections to steal information, receive dynamic configuration files, and inject attached USB devices with malware. Once the malware is executed on the computer, a back door is opened and then the computer is made a botnet. The malware is then able to capture keystrokes, take screenshots, inject content in banking sites, and steal any sensitive data.

The next few versions released were Cridex 0.77-0.80. These versions built up in complexity and in 2012, developers made significant changes. Cridex no longer infected USB media, the binary format of the configuration file and packets with XML was completely replaced. Fast forward to 2014, GameOver Zeus, the criminal network behind Cridex retired the malware and Dridex soon emerged in the market.

Evil Corp

Evil Corp, also known as INDRIK SPIDER and TA505, is the eCrime group behind the banking trojan formed from affiliates of GameOver Zeus. Evil Corp is believed to be an Eastern Europen-based, primarily Moldovan and began operations in 2014. Dridex emerged from Cridex and was released into the wild in 2014. Dridex soon became the most persistent and widespread banking trojan in 2015 and 2016. Targets were no longer specifically located in Europe, and now anyone across the globe was a target. Dridex unlike Cridex is not a worm, in other words, it does not spread on its own. Further, Dridex was primarily used for wire fraud and was quite successful.

However, in 2015 Evil Corp got hit with a few bumps. One of their affiliates, known as Smilex was arrested, this operation guided by the U.K had one goal in mind, to break up the money-laundering network. The network was soon dissembled and Evil Corp was forced to change their methods of attack. In 2017, they began started distributing the malware in smaller campaigns and soon after released BitPaymer ransomware.

When the malware was investigated it was found to contain anti-analysis capabilities that were shared with Dridex. Over time this threat group has become less frequent in their campaigns, opting for more targeted attacks. A further Ransomware called “DoppelPaymer” was detected in 2019 which shares many similarities with BitPaymer but it is unclear whether it is from the same group.

How Does Dridex Spread?

Dridex primarily spreads through phishing campaigns. The malware needs human interaction to begin the infections. Therefore, these campaigns, usually emails contain deceiving language, tricking users into clicking or opening an attachment or link embedded in the email. If the user does not open the attachment, the infection does not occur. In many cases, a malicious Microsoft Office file (.doc or .xls) is attached which downloads a payload onto the user’s computer when downloaded.

 

Example of Phishing Email

Example of Dridex Phishing Email

 

GameOver Zeus dissembled in 2017 and affiliates of the group later formed INDRIK SPIDER. The new malicious group came back with a more evolved and complex attack, BitPaymer Ransomware. This new variant leverages Dridex in its attacks. To learn more about this evolution into BitPaymer Ransomware click here.

 

 

Contact LIFARS Today 

For DFIR Services

 

 

 


Credits

www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/

www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/

www.symantec.com/connect/blogs/dridex-and-how-overcome-it

www.symantec.com/connect/blogs/dridex-and-how-overcome-it

www.threatpost.com/new-dridex-phishing-campaign-delivers-fake-accounting-invoices/127867/