Dridex
Associated Software Descriptions |
|
Name | Description |
---|---|
Bugat v5 | (Citation: Dell Dridex Oct 2015) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Dridex has used POST requests and HTTPS for C2 communications.(Citation: Kaspersky Dridex May 2017)(Citation: Checkpoint Dridex Jan 2021) |
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
Dridex has encrypted traffic with RC4.(Citation: Kaspersky Dridex May 2017) |
.002 | Encrypted Channel: Asymmetric Cryptography |
Dridex has encrypted traffic with RSA.(Citation: Kaspersky Dridex May 2017) |
||
Enterprise | T1574 | .002 | Hijack Execution Flow: DLL Side-Loading |
Dridex can abuse legitimate Windows executables to side-load malicious DLL files.(Citation: Red Canary Dridex Threat Report 2021) |
Enterprise | T1090 | .003 | Proxy: Multi-hop Proxy |
Dridex can use multiple layers of proxy servers to hide terminal nodes in its infrastructure.(Citation: Checkpoint Dridex Jan 2021) |
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Dridex can maintain persistence via the creation of scheduled tasks within system directories such as `windows\system32\`, `windows\syswow64,` `winnt\system32`, and `winnt\syswow64`.(Citation: Red Canary Dridex Threat Report 2021) |
Enterprise | T1218 | .010 | System Binary Proxy Execution: Regsvr32 |
Dridex can use `regsvr32.exe` to initiate malicious code.(Citation: Red Canary Dridex Threat Report 2021) |
Enterprise | T1204 | .002 | User Execution: Malicious File |
Dridex has relied upon users clicking on a malicious attachment delivered through spearphishing.(Citation: Checkpoint Dridex Jan 2021) |
Groups That Use This Software |
||
ID | Name | References |
---|---|---|
G0092 | TA505 |
(Citation: Proofpoint TA505 Sep 2017) (Citation: Proofpoint TA505 June 2018) (Citation: IBM TA505 April 2020) |
G0119 | Indrik Spider |
(Citation: Crowdstrike Indrik November 2018) (Citation: Crowdstrike EvilCorp March 2021) (Citation: Treasury EvilCorp Dec 2019) |
References
- Check Point Research. (2021, January 4). Stopping Serial Killer: Catching the Next Strike. Retrieved September 7, 2021.
- Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, October 13). Dridex (Bugat v5) Botnet Takeover Operation. Retrieved May 31, 2019.
- Slepogin, N. (2017, May 25). Dridex: A History of Evolution. Retrieved May 31, 2019.
- U.S. Department of Treasury. (2019, December 5). Treasury Sanctions Evil Corp, the Russia-Based Cybercriminal Group Behind Dridex Malware. Retrieved September 15, 2021.
- Red Canary. (2021, February 9). Dridex - Red Canary Threat Detection Report. Retrieved August 3, 2023.
- Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019.
- Proofpoint Staff. (2018, June 8). TA505 shifts with the times. Retrieved May 28, 2019.
- Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020.
- Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021.
- Podlosky, A., Feeley, B. (2021, March 17). INDRIK SPIDER Supersedes WastedLocker with Hades Ransomware to Circumvent OFAC Sanctions. Retrieved September 15, 2021.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.