10/21/2016 | Bochum, Author: Eruel Ramos

Dridex - an old dog is learning new tricks

A lot of things have been said and written about Dridex in the past few months. It has risen and fallen in prevalence and it was rumored that its makers collaborate with the makers of Locky. Dridex is a well-known banking Trojan steals banking data through a Man-in-the-Browser attack (MITB-attack). In the latest version of Dridex, its infection methods have evolved and Dridex now uses a different technique to infect its victims which is based on the Powershell framework. Again, G DATA customers are protected; this latest variant is detected as Trojan.GenericKD.3599012 / Win32.Trojan-Spy.Dridex.AW. Additionally, G DATA's BankGuard technology will detect the activity of Dridex and prevent the damage it would cause otherwise.

Tried and tested infection vector


While Dridex's main monetarization vector remains unchanged, the criminals behind the recent campaigns not only changed the implementation of the first stage, they also upped their phishing game:  We have received a phishing email sample very recently which at first glance looked like a targeted attack against a user / organization.

At a second glace, however, the email is pretty generic, but in any case very well written. It turned out to be an example for a current campaign looking to spread malware, in this case, Dridex, via spam emails. As in earlier cases, Dridex is being delivered via a malicious word document attached to phishing emails. Those campaigns used a password protected attachment to evade detection and automated processing of the sample. This time, it is just a plain DOC file.

Downloading & running the payload

What is interesting about the word document attachment is that it does not contain any VBA macro code. Instead, it has a malicious VBS script (posing as another document) embedded in the document. The phishing technique uses social engineering to trick the user into opening the fake document to view its content. Once user falls for the trap and opens the VBS file, the malware will then start executing a PowerShell script. This VBS script uses codes that leverage the use of PowerShell commands. These commands are responsible for downloading and running the payload. PowerShell scripting became popular when the ‘Poweliks’ malware was discovered.

The Dridex payload will start the program spoolsv.exe and injects itself into this process. It will then connects to its first stage command and control server to request additional data and further instructions. Those instructions also tell Dridex on which banking website it should catch the credentials and other data. Subsequently, it injects itself into the process of popular browsers and waits for the user to visit the banking site Dridex was primed to monitor. G DATA’s BankGuard technology is able to detect and prevent further damage of Trojan-Spy Dridex. Bankguard technology focuses on banking spy malware and capable of identifying malicious transaction for most of banking Trojan.


While ransomware has taken center stage in terms of public attention to current threats, many other types of malwares are still flying 'under the radar', pretty much roaming freely, infecting and spreading without being noticed. Even though some news reports claim that members of the Dridex gang were arrested, their succession is secured. Others will pick up where the arrested individuals left off and continue the work; the arrested were part of the lower tier of the entire operation. While the overall number of infections with Locky is gradually falling, we are seeing Dridex slowly rising from what was perceived (for a while, anyway) as being his grave. 

IoC list & information for fellow researchers

Email attachments:





Embedded VBS script:





Known landing pages for payload download:





Dridex Payload:



C2 server (stage 1):



Share this article

G DATA | Trust in German Sicherheit