The Dridex banking Trojan was initially seen in the wild in late 2014, targeting financial institutions mainly throughout the UK. By 2015, the malware had spread to more than 20 countries, and focused heavily on English-language users.
Dridex is peer-to-peer credential-stealing malware which siphons money from victims’ banking accounts. Trend Micro calls Dridex a “Botnet-as-a-service” because the authors of the malware configured a network of servers over which the infected computers communicate with command and control.
To initiate the attack, socially engineered spam email containing a Word or Excel attachment is sent to intended victims.
When the user opens the document, he/she is prompted to enable macros. When macros are enabled, a malicious file is dropped in the user’s temporary folder, which then connects to a remote server and retrieves a malicious executable file.
Once the machine is infected, Dridex steals the user’s credentials through keystroke logging and web injection. The malware can also upload, download, and run programs, spy on browsing activities and follow network traffic, and scan for other credentials that would supply more information about victims’ financial and banking activities.
Unlike similar malware, Dridex does not rely on vulnerabilities; a user has to actively initiate the infection
Dridex is massive in scale; since its introduction, sources have reported that more than 385 million email addresses, 300 financial institutions, and 100 systems have been compromised. By early 2016, Dridex was observed to have spread to more than 40 countries, including non-English speaking countries, and upgraded its capabilities to steal credit card information.
Get the DeMISTIfying InfoSec newsletter every Tuesday!