Connect with us

Hi, what are you looking for?



New Dridex Variants Achieve High Infection Rate Using Poisoned Docs

The infamous Dridex banking Trojan recently surfaced again in spam campaign runs that have managed to achieve a high infection rate, security companies ESET and Trend Micro warn.

The infamous Dridex banking Trojan recently surfaced again in spam campaign runs that have managed to achieve a high infection rate, security companies ESET and Trend Micro warn.

The Dridex malware, a successor of the Trojan known as Cridex, Feodo and Bugat, has been around since last year, often spread through infected Word and Excel documents sent as attachments to spam emails, which prompt users to enable macros to view access their contents.

This technique has been used to spread Dridex in the past (and other malware as well), and it appears that the cybercriminals behind the malware continue to rely on it, targeting both end-users and financial institutions with their spam emails. Once a user executes the infected file, Dridex infects the system with a botnet controlled by the attackers, who can steal personal and financial information.

ESET researchers report that a new Dridex campaign targeting users in European countries such as Spain and Slovakia, and that people in South Africa are also targeted. Trend Micro, on the other hand, says that new campaigns are infecting users worldwide, with the largest number of victims observed in the United States (23.47 percent), United Kingdom (14.39 percent), France (14.26 percent), and Australia (13.91 percent).

Following a massive effort from law enforcement authorities in the United States and Europe in the past months, the Dridex botnet was supposedly disrupted in mid-October when servers used in the network were seized. In August, authorities arrested Andrey Ghinkul, who was identified as one of the Dridex botnet administrators.

However, since the Dridex network was created as a hybrid between a centralized and a decentralized network, partitioned into multiple sub-botnets and uses a peer-to-peer (P2P) network for communications, the Trojan reappeared only days after being supposedly taken down. Two Dridex campaigns were spotted a couple of days after the takedown, aimed at users in France and the United Kingdom.

New discoveries made by ESET and Trend Micro suggest that the cybercriminals behind the Dridex botnet only needed a few weeks to test the stability of the network and to reinitiate their infection operations. While the new campaigns appear to lack the strength of the previous Dridex infections, they are expected to grow through additional spam campaign runs.

Advertisement. Scroll to continue reading.

According to ESET, the attackers behind Dridex were very active in September and October, and cont continued to be so in November as well, with one new malware variant observed to be peaking on November 13 and November 16. Trend Micro says that 10 new malware variants have been observed since November 13, when a new infection campaign has started.

The observed campaigns include one similarity, namely the fact that spam emails are sent in English. While it would not make sense for a user in Spain, France, or Germany to open an email in English, chances are that they will, regardless of what it contains or where it came from, out of pure curiosity. The attackers appear to rely on this behavior to ensure the success of their campaign.

According to Trend Micro, the new spam campaign run has the same ID or segment used to spread Dridex since last year, meaning that the botnet was not totally taken down last month. Furthermore, the security firm notes that the new malware variants use complex coding techniques of obfuscation and indirect calls similar to those in variants spotted in the past.

One thing that is not clear as of now is whether the new Dridex strings contain code related to sending emails. Should they include the capability, it would reveal that the actors behind the botnet are trying to bring the entire infection chain for Dridex full circle. This could result in more, wider spread spam campaigns to spread the infection.

The new findings are in line with what Kevin Epstein, VP of Threat Operations at Proofpoint, told SecurityWeek last month, only a few days after authorities announced that Dridex was taken down. He suggested that the email distribution botnet, other C&C networks, and the Dridex malware itself might not have been impacted by the mid-October takedown.

“Since Dridex has been a successful tool for attackers to steal credentials for banking, CRM, supply chain, and intellectual property repositories, it seems likely that attackers will keep using it,” Epstein said.

The Dridex malware is estimated to have caused financial losses of around $40 million in the United States and the United Kingdom alone (namely $10 million in the U.S. and $30 million in the U.K.). As the masterminds behind the malware appear to be regrouping and restarting their criminal activity, users are advised to take extra caution when opening emails and to disable the option to run macros in Word and Excel, unless they do require them for their work.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...