Dridex malware, the banking trojan

March 28, 2023  |  Benny Liu

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 


Dridex, also known as Cridex or Bugat, is a banking Trojan that has been active since 2011. The malware is primarily used to steal sensitive information, such as login credentials and financial information, from victims. Dridex is known for its ability to evade detection by using dynamic configuration files and hiding its servers behind proxy layers.

The Dridex malware typically spreads through spam email campaigns, with the emails containing a malicious attachment or link that, when clicked, will install the malware on the victim's computer. The malware then uses web injections to steal financial information from the victim.

One of the interesting features of Dridex is its use of a peer-to-peer (P2P) network for command and control (C&C) communication. This allows the attackers to evade detection by security researchers and law enforcement, as the C&C servers can be quickly changed if one is discovered.

In terms of atomic techniques, Dridex uses a variety of methods to evade detection and maintain persistence on an infected system. Some of these techniques include:

  • Fileless infection: Dridex can infect a system without leaving any trace of a malicious file on the hard drive.
  •  Process hollowing: Dridex can inject its code into a legitimate process in order to evade detection by security software.
  •  Anti-debugging and anti-virtualization: Dridex can detect if it is running in a virtualized environment or if it is being debugged, and will terminate itself if it is.

Dridex is a well-known and sophisticated banking trojan that has been active for more than a decade, the malware has been known to target financial institutions, businesses, and individuals. Despite the arrest of one of its administrators in 2015, the malware continues to be active and evolve.

Recent infection on Macs:

The recent variant of Dridex malware that targets MacOS systems delivers malicious macros via documents in a new way. The malware typically spreads through spam email campaigns, with the emails containing a malicious attachment or link that, when clicked, will install the malware on the victim's computer. The variant overwrites document files to carry Dridex's malicious macros, but currently, the payload it delivers is a Microsoft exe file, which won't run on a MacOS environment. This suggests that the variant may still be in the testing stages and not yet fully converted to work on MacOS machines. However, it's possible that the attackers will make further modifications to make it compatible with MacOS in the future.

Once the malware is installed on the system, it searches for files with .doc extensions and overwrites them with the malicious code. The overwritten code has a D0CF file format signature, implying it is a Microsoft document file. This means that the malicious macros are delivered via document files, which makes it harder for the user to determine if the file is malicious or not.

The malware also uses basic string encryption to hide the malicious URL it connects to in order to retrieve a file. This method of delivery is different from the traditional method of delivery, which is through email attachments. This shows that the attackers behind Dridex are trying to find new targets and more efficient methods of entry.

How it works:

Dridex is a banking Trojan that is typically distributed through phishing email campaigns. The malware is delivered as an attachment, often in the form of a Word or Excel document, that contains a malicious macro. Once the macro is enabled, it will download and execute the Dridex payload on the victim's system.

Once installed, Dridex can perform a variety of malicious actions, including keylogging, capturing screenshots, and stealing login credentials. The malware can also be used to create a botnet, allowing the attackers to remotely control the infected systems.

Dridex uses web injects, which are modules that can inject HTML or JavaScript code into a web page before it is rendered. This allows the malware to manipulate the appearance of web pages and trick the user into entering sensitive information, such as login credentials or credit card numbers. The malware can then send this information to its command and control (C2) server.

Dridex uses a variety of techniques to evade detection and maintain persistence on an infected system. These include using code injection to infect other processes, using named pipes to communicate with other processes, and using anti-debugging and anti-virtualization techniques to evade analysis.

In addition, Dridex uses a technique called "Heaven's Gate" to bypass Windows' WoW64 (Windows 32-bit on Windows 64-bit) layer, allowing it to execute 64-bit code on a 32-bit system. This technique involves using a feature in Windows that allows 32-bit applications to call 64-bit functions. By running malware code in a 64-bit environment, Dridex evades detection and anti-analysis by security tools that are not designed to detect 64-bit malware on 32-bit systems.


1. Isolate and remove the malware: Identify and isolate any infected systems and remove the malware using reputable anti-virus software.

2. Change all passwords: Dridex malware is known to steal login credentials, so it is important to change all passwords on the affected systems.

3. Patch the system: Ensure that all systems are fully patched and updated with the latest security fixes.

4. Use endpoint protection: Implement endpoint protection software to detect and block Dridex malware and other malicious software.

5. Monitor network traffic: Monitor network traffic for suspicious activity and use intrusion detection systems (IDS) to detect and block malicious traffic.

6. Employee education: Educate employees on how to identify and avoid phishing scams, and to be cautious when opening email attachments or clicking on links.

7. Regular backups: Regularly backup important data and keep backups in a secure location.

8. Use a firewall: Use a firewall to block incoming and outgoing connections from known malicious IP addresses.


In conclusion, Dridex is a well-known banking trojan that has been active since 2012, targeting financial institutions and their customers. The malware is typically distributed through phishing email campaigns, using attachments or links that lead to the downloading of the malware. Once on a system, Dridex can use various techniques to steal sensitive information and uses a technique called web injection to manipulate web pages and steal credentials. Remediation efforts should include monitoring for suspicious activity, blocking known malicious IPs and domains, keeping software updated, and educating users on how to identify and avoid phishing attempts. Additionally, monitoring for known indicators of compromise and inspecting processes and dll files that are known to be targeted by Dridex can help detect and prevent Dridex infections.

This author is from www.perimeterwatch.com

Share this with others

Featured resources



2024 Futures Report

Get price Free trial