The Dridex Banking Trojan is a part of a family of Trojans classified as “banking trojans“. An article describing the Dridex Trojan and some of its inner-workings were published by TrendMicro in November of 2014.
However, I have recently been alerted of a phishing campaign targeting my organization in which multiple e-mails were intercepted, with ZIP archive attachments. These ZIP archives, as well as the overall e-mail, fit the description of a typical Dridex phishing e-mail; describing a financial issue, in this case, the failure of an ACH (Automated Clearing House) Payment. The ZIP archive was named to manipulate the user into believing that it contained information regarding this “failed transaction.”
Within this ZIP archive was a single Microsoft Word document; while I did not bother to look for any actual content within the Word document, I did know that the document contained embedded Macros. Macros allow users to embed VisualBasic scripts within Microsoft Office documents. These can be used, and were of course intended to be used for legitimate purposes, but are commonly utilized by malware authors to trick unsuspecting users into launching nefarious code that performs actions that lead to the compromise of their device.
As TrendMicro reported in their November 2014 article:
“The appearance of DRIDEX comes a couple of years after CRIDEX’s entry into the threat landscape. Both CRIDEX and DRIDEX steal personal information, specifically data related to online banking. DRIDEX is consider as the successor because it uses a new way to steal information–via HTML injections.
However, there is a major difference between the two. CRIDEX malware is one of the payloads associated with exploit kit spam attacks. DRIDEX, on the other hand, relies on spam to deliver Microsoft Word documents containing malicious macro code. The macro code downloads DRIDEX onto the affected system.”
As evidenced by my analysis and the e-mail alone, this description remains accurate, at least in the case of DRIDEX’s [primary] method of infection.
The detailed analysis is available in the following document:
About the Author Michael Fratello
Edited by Pierluigi Paganini
(Security Affairs – Dridex, malware)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.