In a Quest for Dridex Malware

To reach their evil goals, hackers are sending waves of malspam to targeted victims. Numerous strains of Dridex malware flatten out institutions and customers of the financial sector, and a new iteration of Dridex attack was noticed again after a period of inactivity earlier this month, Unit 42 reports.

About Dridex Attacks

First malspam attacks delivering Dridex trojan (also known as Cridex or Burgat) were spotted back in 2012, and within several years the malware established itself as one of the most predominating trojans targeting the financial sector. Dridex spyware attacks are focused on EU and Asia-Pacific regions and high-income organizations.

Phishing emails are deliberately compiled – professional language and terminology, along with messages requiring immediate attention, lure victims to go into the trap that looks like legitimate business email addresses. Dridex attack malspam delivers an attachment that may include names of financial records, that contains obfuscated macros. Once enabled, the malicious macros triggers download of banking trojan which would harvest credentials and then perform fraud financial transactions.

Picture by Spambrella:

Last year, the US Department of Justice brought charges against Russian nationals who stood behind creation of the Dridex malware and were leading criminal activities that delivered them about $100 million.

Dridex Malware Prevention and Detection

The malware is active and dangerous for bank institutions and their clients, as phishing emails is a path of least resistance to deliver malicious code to a victim. The mature behavior of company’s personnel drastically decreases chances to infect the system with Dridex trojan.

Check the “Dridex activity” community Sigma rule by Osman Demir to detect the latest Dridex attack in your system

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, LogPoint, Humio

EDR: Carbon Black, Elastic Endpoint


The rule covers the Spearphishing Attachment (T1193) technique of the Initial Access tactics, and the User Execution (T1204) technique of the Execution tactics according to MITRE ATT&CK methodology.

More threat detection content on Dridex Attacks here

Ready to try out SOC Prime TDM? Sign up for free. Or join Threat Bounty Program to craft your own content and share it with the TDM community.