Dridex Malware

Dridex malware (AKA Bugat and Cridex) is classified as an infostealer and trojan with sophisticated botnet capabilities, making it a highly profitable Malware as a Service (MaaS) enterprise for the Evil Corp cyber-criminal group. The size of Dridex's botnet distinguishes it as one of the most active malware strains in the global threat environment.

Dridex has a long and storied history and spawned from the same origins as Emotet: Both originated as the prolific banking trojan malware Zeus first identified in 2006 and publicly leaked as source code in 2011. The first version of Dridex emerged alongside Emtotet in 2014 from the ashes of an FBI operation attempting to take down a Russian hacker group, Business Club. Dridex still uses some of the source code from Zeus and follows in the footsteps of Zeus by consolidating its victims into a global zombie botnet. 

The global Dridex botnet is segmented into blocks and rented out to Evil Corp affiliates who use the botnet to spread phishing and malspam to grow the botnet and launch ransomware attacks—usually by importing BitPaymer ransomware, another product of Evil Corp. Evil Corp affiliates pay a flat monthly fee per block of zombie bots and reportedly return half of any extorted ransom to Evil Corp. The Dridex botnet-based MaaS model has generated Evil Corp over $100 million of illicit profit and although the US Department of Justice and FBI charged two Russians with hacking and bank fraud in 2019, no arrests have been made despite a $3 million reward.

Dridex's first-stage attacks are typically deployed in phishing and malspam campaigns that use a password-protected Microsoft Office document containing a malicious VBA macro but are distributed in other formats. Once it has compromised a victim, Dridex leverages its modular design to import components depending on what task the operator wants the infected system to perform.

Dridex's second-stage tactics include:

• Maintaining persistence by injecting calls to its executable into Windows scheduled tasks and Autorun registry keys 
• Acting as a spam bot for attackers to operate phishing and malspam campaigns remotely, effectively protecting the attackers' identity
• Stealing and exfiltrating passwords and email data from 100s of applications
• Using multiple different web injection techniques to infect browsers and steal login data and multi-factor-authentication (MFA) tokens and session tokens from banking and crypto-currency websites
• Using various combinations of protocols to evade firewalls; usually, TCP/HTTP to mask its communications as regular internet traffic, but also UDP streaming protocol and Secured Over Credential-Based Kerberos Services (SOCKS) to proxy connections
• Installing VNC modules to gain remote desktop connections
• Surveillance capabilities such as exfiltrating keystrokes and screenshots
• Attacking malware research environments by erasing the master boot record (MBR) to disable the system

Dridex's most impressive ability is its advanced peer-to-peer (P2P) botnet capabilities comprising several hierarchical layers of infrastructure and multi-hop proxy chains. This architecture makes it difficult to identify the further-most backend command and control (C2) source as intermediate C2 front-ends to communicate directly with compromised local master nodes that, in turn, manage a group of local zombie bots. This tiered infrastructure also effectively reduces the traffic that needs to go through the network perimeter by maintaining local caches of modules.

Dridex has also introduced several never-seen techniques that have contributed to its success, such as AtomBombing, which injects and executes code into another process without using standard API calls used by malware. Instead, AtomBombing hijacks Windows "atom tables," memory locations where an application temporarily stores functions. Dridex pioneered the AtomBombing technique, stealthily injecting its commands.

Protecting against Dridex requires a strong enterprise cybersecurity program, including endpoint security that detects and blocks novel techniques. The following are defensive tactics for mitigating a Dridex attack:

• Ensure Office applications are configured to disable all macros without notification or disable all except digitally signed macros settings 
• Pay special attention to warning notifications in email clients and Office applications that can alert you to suspicious contexts, such as files that have not been scanned for malware or contain VBA macros
• Consider user awareness training to educate personnel about phishing techniques and develop standard operating procedures (SOP) for handling suspicious emails and documents
• Configure email clients to notify users when emails originate from outside the organization
• Implement a reliable backup strategy with well-protected offline backups and practice disaster recovery procedures to ensure target mean-time-to-recovery (MTTR) targets can be met
• Use a content proxy to monitor internet usage and restrict user access to suspicious or risky sites
• Conduct regular vulnerability scanning and penetration testing of all network infrastructure and remediate any discovered vulnerabilities as soon as possible
• Install and configure endpoint security products that scan encrypted documents immediately after they are unencrypted
• Install and maintain fully updated intrusion detection and prevention (IDS/IPS) security appliances to detect abnormal network behavior