Has Dridex been brushing up on its Latvian? Or perhaps its written Estonian skills? Maybe it’s preparing a long overseas stay requiring offshore banking accounts in the Cayman Islands? Recent Dridex configurations analyzed by IBM X-Force reveal that the new wave of Dridex attacks is resilient and more complex than your average malware campaign.

Following several quiet months, a spike in renewed activity suggests the gang operating Dridex is picking up speed with precision and planning.

Unlikely Targets

According to IBM X-Force Research, Dridex configurations from the past two months are replete with a hefty count of targets in some more common countries, such as the U.S., U.K., Canada and Australia. However, the Trojan is targeting some less charted territories as well, such as Lithuania, Latvia, Estonia, Lebanon and Ukraine, to name a few. This is quite uncommon for any banking Trojan.

Per its configuration files, Dridex currently targets over 20 Latvian banks, three banks in Estonia, three in Lithuania and one in Ukraine, among its other uncommon choices of late.


Figure 1. Dridex Configuration Geo Distribution; MD5: f5d2d004ac22b17fd48e28f85c9162bf. Source: IBM Trusteer)

Why would Dridex target just one bank in Ukraine, Lebanon or Lichtenstein? Perhaps the developers are moving money to and from these banks rather than stealing from them. Or maybe they start by testing one bank in a given region before developing more elaborate configurations.

Read the white paper: Accelerating growth and digital adoption with seamless identity trust

Dridex Branches Out

In most cases, Dridex is after retail banking accounts (48 percent of targets), but next on its list are banking platforms and URLs leading to:

  • Business banking;
  • Treasury services;
  • Commercial banking;
  • Corporate banking;
  • Investment banking;
  • ACH payments and payroll services;
  • Offshore banking;
  • Private banking;
  • Wealth management; and
  • Background checks and recruitment sites.

There sure seems to be more going on than previously. Much like Shifu, Dridex is adding regular expressions to target digital banking platform providers, which are used by numerous banks. By doing that, Dridex enables itself to steal credentials from users of any bank that deploys that same platform instead of having to include the URL of each. X-Force researchers saw at least 10 different regular expressions of this type in recent Dridex configurations.

The malware is scouting login credentials to a well-known background check vendor and one of the top recruitment sites in the U.S. It’s not hard to guess what those will be used for: Background checks give fraudsters tons of personal information on high-value targets. Recruitment sites are unknowingly abused by criminals for posting fake jobs, ultimately resulting in money mule recruitment in the target geography where the fraud is to be cashed out.

This is rather telling: Dridex’s operators don’t typically recruit money mules in the U.S. or via recruitment sites. Perhaps they are running low on local accounts to facilitate their nefarious activity in America, especially with GozNym being ever so active in the same country.

Served By Good Old Office Macros

So what’s the infection vector at this time for malware like Dridex, which is not only after consumers, but interested in infecting company employees? Unsurprisingly, the top choice continues to be poisoned Word macros delivered in a document file via email. This infection method was extremely popular among banking Trojan operators in 2015, when, according to Dark Reading, macro malware levels hit a six-year high. This year is likely to end on a similar trend.

Dridex has been leveraging poisoned Word macros since it emerged in 2014. Locky, a ransomware code distributed by the same botnets as Dridex, also leverages this infection method, Ars Technica reported.

SecurityWeek reported that, aside from Word macros, Dridex operators also conducted recent drive-by download campaigns to drop Locky infections using the Neutrino exploit kit and automate infections.

Back From Vacation

Why did Dridex-delivering spam campaigns appear to be rather sluggish during the summer? With banking malware operations of this type, it’s actually common to see a drop during the summer months. An actor on Twitter who calls himself Dridex Bot, purporting to be part of the Evil Corp gang, indicated the group was on vacation:

While this may be true, a gang like Dridex is more likely to slow down to retool before speeding right back up. According to X-Force researchers, Dridex released four builds in the past 30 days alone, including two code updates to its internal strings and its API obfuscation scheme. The malware’s configurations were modified, new infection campaigns prepared, additional sub-botnet sections created (No. 144, No. 1024) and new geographies targeted.

Furthermore, the Locky operation continues full steam ahead. According to Bleeping Computer, Dridex’s infrastructure is even being used to spread yet another ransomware piece: a new Trojan called Bart.

Busy Year for Dridex

It seems like it has been around forever, doesn’t it? But in reality, Dridex, in its current form, is only 2 years old. But it’s not so young in cybercrime terms, and the gang operating Dridex is having quite the busy year in 2016, dabbling in just about every kind of financial malice.

This year, Dridex started copying the Dyre Wolf attacks, attacking companies and robbing millions at a time. Dridex also launched its first ever redirection attacks in early 2016. In June, Dridex was linked with the SWIFT heists. Its Locky operation has been making the headlines far too often as well, mainly for terrorizing health care organizations across the globe with massive ransomware campaigns.

In fact, 69 percent of email attacks with malicious attachments in Q2 2016 contained Locky infections. Data from Shadowserver showed that Dridex infections per day (infected IPs) have also been on the rise, reaching 60 percent spikes in some parts of Europe.

What’s Next?

From information gathered by X-Force Research on Dridex activities across the globe, it is evident Dridex’s botnet operators are a multifaceted group, very likely connected with additional crime factions that use the same resources to commit cybercrime.

Is Dridex going away any time soon? This botnet appears to be more resilient than most. Dridex almost underwent a full takedown in 2015 following the arrest of one of the alleged botnet administrators. Alas, the botnet managed to escape this attempt and continue its operations.

In June, SecurityWeek reported that authorities attempted to disable Dridex by disrupting the Necurs botnet. That, too, was insufficient to halt the operations of Dridex and its branched ransomware arm. Necurs bounced back within a mere two weeks and got right back to the business of disseminating Dridex and Locky variants.

A Formidable Foe

Is this crime group rolling in illicit profits? Considering its resilience, size and all the connected parts of its operation, Dridex is likely the top cybercrime conglomerate of the decade. Researchers estimated that operators of the Dridex and Locky duo are netting between $100,000 and $200,000 per day, not including the millions they must have put away after their alleged part in SWIFT-related attacks.

If Dridex was indeed responsible for the SWIFT attacks, it is operating on the level of a billion-dollar crime ring. This makes Dridex a formidable foe for law enforcement.

Security professionals can deploy antifraud solution suites that evolve to mitigate the risks associated with Dridex. Researchers and analysts can also look up and share threat intelligence on Dridex activity, M.O. and indicators of compromise on the X-Force Exchange.

Recent Dridex MD5

  • fa6781ced155213d7a7535bbe109cf04
  • f5fe906f801d99fafa8a9e0584a37008
  • 7752eaeac2c3a37bba3564fbab0233fc
  • f8fd038db826a1e1c28d384cdc61a82d

Read the white paper: Accelerating growth and digital adoption with seamless identity trust

More from Malware

Strela Stealer: Today’s invoice is tomorrow’s phish

12 min read - As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be…

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today