Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Dridex

Dridex is a prolific banking Trojan that first appeared in 2014. By December 2019, the US Treasury estimated Dridex had infected computers in hundreds of banks and financial institutions in over 40 countries, leading to more than $100 million in theft. Dridex was created from the source code of the Bugat banking Trojan (also known as Cridex).(Citation: Dell Dridex Oct 2015)(Citation: Kaspersky Dridex May 2017)(Citation: Treasury EvilCorp Dec 2019)
ID: S0384
Associated Software: Bugat v5
Type: MALWARE
Platforms: Windows
Version: 2.1
Created: 30 May 2019
Last Modified: 03 Aug 2023

Associated Software Descriptions

Name Description
Bugat v5 (Citation: Dell Dridex Oct 2015)

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Dridex has used POST requests and HTTPS for C2 communications.(Citation: Kaspersky Dridex May 2017)(Citation: Checkpoint Dridex Jan 2021)

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Dridex has encrypted traffic with RC4.(Citation: Kaspersky Dridex May 2017)

.002 Encrypted Channel: Asymmetric Cryptography

Dridex has encrypted traffic with RSA.(Citation: Kaspersky Dridex May 2017)

Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

Dridex can abuse legitimate Windows executables to side-load malicious DLL files.(Citation: Red Canary Dridex Threat Report 2021)

Enterprise T1090 .003 Proxy: Multi-hop Proxy

Dridex can use multiple layers of proxy servers to hide terminal nodes in its infrastructure.(Citation: Checkpoint Dridex Jan 2021)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Dridex can maintain persistence via the creation of scheduled tasks within system directories such as `windows\system32\`, `windows\syswow64,` `winnt\system32`, and `winnt\syswow64`.(Citation: Red Canary Dridex Threat Report 2021)

Enterprise T1218 .010 System Binary Proxy Execution: Regsvr32

Dridex can use `regsvr32.exe` to initiate malicious code.(Citation: Red Canary Dridex Threat Report 2021)

Enterprise T1204 .002 User Execution: Malicious File

Dridex has relied upon users clicking on a malicious attachment delivered through spearphishing.(Citation: Checkpoint Dridex Jan 2021)

Groups That Use This Software

ID Name References
G0092 TA505

(Citation: Proofpoint TA505 Sep 2017) (Citation: Proofpoint TA505 June 2018) (Citation: IBM TA505 April 2020)

G0119 Indrik Spider

(Citation: Crowdstrike Indrik November 2018) (Citation: Crowdstrike EvilCorp March 2021) (Citation: Treasury EvilCorp Dec 2019)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.