What is Dridex Malware?

Dridex is a Windows-focused banking trojan that has since expanded its capabilities to include infostealing and botnet capabilities. The malware, which according to Check Point Research’s 2023 Cyber Security Report, was the fourth most prevalent malware variant in 2021. Dridex is primarily distributed via phishing and malspam campaigns.

Request a Demo Download the Security Report

How Does It Work?

The Dridex malware can be distributed in various ways. Some common examples include phishing emails, exploit kits, and delivery as a second-stage infection by malware other malware families such as Emotet.

Once executed on an infected machine, Dridex uses process injection and hooking to gain access to screenshots and keystroke information. It can also collect information from web browsers, be remotely controlled by the attacker, and download and execute other malware. Frequently, Dridex uses web injection modules that conduct man-in -the-browser attacks, and allow the cybercriminals to steal credentials to banking accounts, emails and social media.

Evolution of Dridex Malware

The Dridex malware began as a banking trojan, collecting login credentials for online banking platforms from infected machines. While this continues to be a core part of its functionality, and most Dridex attacks are targeted at the financial services industry, it has expanded its capabilities in recent years.

Now, Dridex also incorporates infostealing and botnet capabilities, similar to TrickBot and Qbot. While the malware appears to be in decline compared to these competitors, it is still undergoing active development. In September 2021, a new variant of the malware was discovered that expanded the infostealing capabilities of the malware and was used in a new phishing campaign that delivered malicious Excel documents. Dridex was also a leader among malware taking advantage of the Log4j vulnerability in December 2021.

How to Protect Against Dridex Malware

Dridex combines the functionality of a banking trojan, botnet malware, and infostealer and is distributed in various ways. Some methods by which an organization can protect against a Dridex infection and manage its impacts include:

  • Anti-Phishing Protection: Dridex is primarily distributed via phishing campaigns within a malicious attachment. Preventing the malware from reaching corporate systems requires anti-phishing solutions that can analyze and identify the malware in a sandboxed environment before it reaches employees’ inboxes.
  • Content Disarm and Reconstruction (CDR): Often, Dridex is embedded within malicious documents using Microsoft Office macros. CDR enables malicious functionality to be excised from a document before the sanitized version is sent on to the intended recipient.
  • Update and Patch Management: In addition to phishing attacks, Dridex also spreads by exploiting unpatched vulnerabilities such as Log4j. Installing updates and patches promptly can help to protect vulnerable systems against exploitation and infection by Dridex.
  • Endpoint Detection and Response (EDR): Once present on a system, Dridex malware uses various techniques to steal sensitive information and perform other malicious functions. An EDR solution can identify these actions and start the process of remediating the infection.
  • Multi-Factor Authentication (MFA): Dridex malware is designed to take over employees’ accounts by stealing their login credentials from a compromised computer. Enforcing the use of MFA throughout the enterprise makes it more difficult for an attacker to use the credentials stolen by the malware.
  • Least Privilege Access: A successful Dridex attack results with the attacker in control of one or more corporate accounts. If an organization has followed zero trust principles and implemented least privilege, the impact of these compromised accounts is minimized.
  • Account Behavior Monitoring: If an attacker gains access to corporate accounts, they will abuse this access to carry out their goals. Monitoring the behavior of corporate accounts can allow an organization to detect anomalies that could point to a compromised account.
  • Employee Security Training: Phishing campaigns, like the ones used to spread Dridex, rely on tricking the recipient into executing the malware. Training employees to recognize and properly respond to phishing attacks reduces the risk that these pose to corporate cybersecurity.

How Can Dridex Malware Be Removed?

Dridex is a sophisticated malware designed to evade detection and be difficult to remove. Failing to completely eradicate the malware from an infected system could result in reinfection. For this reason, the best way to remove Dridex malware is using an endpoint security solution. These tools can ensure that the malware is completely eliminated from an infected computer.

Dridex Detection and Protection with Check Point

Dridex poses a significant threat to enterprise data and cybersecurity with its infostealer, banking trojan, and botnet functionality. To learn more about Dridex and the other leading malware threats that organizations face, check out the 2022 Cybersecurity Report by Check Point Research.

Protecting against Dridex and other malware requires strong endpoint security that can identify novel and emerging threats. Learn more about how Harmony Endpoint can help to protect your organization’s devices by requesting a free demo.

This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.