{ "tid": 68, "threat": "Dridex", "category": "malware", "othernames": [ "Bugat", "Bugat v5", "Cridex", "Feodo" ], "risk": "high", "description": "[Dridex](https:\/\/attack.mitre.org\/software\/S0384) is a prolific banking Trojan that first appeared in 2014. By December 2019, the US Treasury estimated [Dridex](https:\/\/attack.mitre.org\/software\/S0384) had infected computers in hundreds of banks and financial institutions in over 40 countries, leading to more than $100 million in theft. [Dridex](https:\/\/attack.mitre.org\/software\/S0384) was created from the source code of the Bugat banking Trojan (also known as Cridex).(Citation: Dell Dridex Oct 2015)(Citation: Kaspersky Dridex May 2017)(Citation: Treasury EvilCorp Dec 2019)", "notes": null, "wikisummary": "", "wikireference": "", "retired": null, "stamp_added": "2017-10-18 22:50:47", "stamp_updated": "2026-04-13 02:46:26", "stamp_seen": "2026-03-04 19:44:59", "stamp_retired": null, "updated_last_domain": null, "related": [ { "tid": 1174, "name": "Indrik Spider", "category": "group", "risk": "unknown", "stamp_linked": "2022-02-21 05:28:05" }, { "tid": 436, "name": "SocGholish", "category": "malware", "risk": "unknown", "stamp_linked": "2023-11-11 19:47:54" }, { "tid": 1304, "name": "TA505", "category": "group", "risk": "unknown", "stamp_linked": "2022-02-21 05:28:06" } ], "attributes": { "tactic": [ "Collection", "Command And Control", "Defense Evasion", "Discovery", "Execution" ], "technique": [ "Asymmetric Cryptography", "Browser Session Hijacking", "DLL Side-Loading", "Malicious File", "Multi-hop Proxy", "Native API", "Obfuscated Files or Information", "Proxy", "Regsvr32", "Remote Access Software", "Scheduled Task", "Software Discovery", "Symmetric Cryptography", "System Information Discovery", "Web Protocols" ], "technology": [ "Windows" ] }, "ttps": { "Collection": [ "Browser Session Hijacking" ], "Command And Control": [ "Proxy", "Multi-hop Proxy", "Remote Access Software", "Asymmetric Cryptography", "Symmetric Cryptography", "Web Protocols" ], "Defense Evasion": [ "Regsvr32", "Native API", "DLL Side-Loading", "Obfuscated Files or Information" ], "Discovery": [ "System Information Discovery", "Software Discovery" ], "Execution": [ "Native API", "Regsvr32", "Malicious File", "Scheduled Task" ], "Persistence": [ "DLL Side-Loading", "Scheduled Task" ], "Privilege Escalation": [ "DLL Side-Loading", "Scheduled Task" ] }, "news": [ { "title": "Dridex | MITRE ATT&CK\u00ae", "channel": "MITRE ATT&CK\u00ae", "icon": "https:\/\/attack.mitre.org\/theme\/favicon.ico", "link": "https:\/\/attack.mitre.org\/software\/S0384", "stamp": null, "primary": 1 }, { "title": "INDRIK SPIDER: WastedLocker Superseded by Hades Ransomware", "channel": "Crowdstrike EvilCorp March 2021", "icon": "https:\/\/www.crowdstrike.com\/etc.clientlibs\/crowdstrike\/clientlibs\/crowdstrike-common\/resources\/favicon.ico", "link": "https:\/\/www.crowdstrike.com\/blog\/hades-ransomware-successor-to-indrik-spiders-wastedlocker\/", "stamp": null, "primary": 1 }, { "title": "Threat Actor Profile: TA505, From Dridex to GlobeImposter | Proofpoint US", "channel": "Proofpoint TA505 Sep 2017", "icon": "https:\/\/www.proofpoint.com\/themes\/custom\/proofpoint\/apps\/drupal\/favicon.ico", "link": "https:\/\/www.proofpoint.com\/us\/threat-insight\/post\/threat-actor-profile-ta505-dridex-globeimposter", "stamp": null, "primary": 1 }, { "title": "Dridex (Bugat v5) Botnet Takeover Operation | Secureworks", "channel": "Dell Dridex Oct 2015", "icon": "https:\/\/www.secureworks.com\/favicon.ico", "link": "https:\/\/www.secureworks.com\/research\/dridex-bugat-v5-botnet-takeover-operation", "stamp": null, "primary": 1 }, { "title": "Dridex - Red Canary Threat Detection Report", "channel": "Red Canary Dridex Threat Report 2021", "icon": "https:\/\/redcanary.com\/wp-content\/themes\/redcanary\/assets\/img\/favicon.ico", "link": "https:\/\/redcanary.com\/threat-detection-report\/threats\/dridex\/", "stamp": null, "primary": 1 }, { "title": "Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware", "channel": "Crowdstrike Indrik November 2018", "icon": "https:\/\/www.crowdstrike.com\/etc.clientlibs\/crowdstrike\/clientlibs\/crowdstrike-common\/resources\/favicon.ico", "link": "https:\/\/www.crowdstrike.com\/blog\/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware\/", "stamp": null, "primary": 1 }, { "title": "Stopping Serial Killer: Catching the Next Strike - Check Point Research", "channel": "Checkpoint Dridex Jan 2021", "icon": "https:\/\/research.checkpoint.com\/wp-content\/uploads\/2022\/10\/cropped-pavicon_CPR-03-e1666694691376-32x32.png", "link": "https:\/\/research.checkpoint.com\/2021\/stopping-serial-killer-catching-the-next-strike\/", "stamp": null, "primary": 1 }, { "title": "TA505 shifts with the times | Proofpoint US", "channel": "Proofpoint TA505 June 2018", "icon": "https:\/\/www.proofpoint.com\/themes\/custom\/proofpoint\/apps\/drupal\/favicon.ico", "link": "https:\/\/www.proofpoint.com\/us\/threat-insight\/post\/ta505-shifts-times", "stamp": null, "primary": 1 }, { "title": "Dridex: A History of Evolution | Securelist", "channel": "Kaspersky Dridex May 2017", "icon": "https:\/\/securelist.com\/wp-content\/themes\/securelist2020\/assets\/images\/favicons\/favicon-192x192.png", "link": "https:\/\/securelist.com\/dridex-a-history-of-evolution\/78531\/", "stamp": null, "primary": 1 }, { "title": "Treasury Sanctions Evil Corp, the Russia-Based Cybercriminal Group Behind Dridex Malware | U.S. Department of the Treasury", "channel": "Treasury EvilCorp Dec 2019", "icon": "https:\/\/home.treasury.gov\/sites\/default\/files\/favicon_1.png", "link": "https:\/\/home.treasury.gov\/news\/press-releases\/sm845", "stamp": null, "primary": 1 }, { "title": "TA505 Continues to Infect Networks With SDBbot RAT", "channel": "IBM TA505 April 2020", "icon": "https:\/\/securityintelligence.com\/wp-content\/themes\/sapphire\/images\/favicon.ico", "link": "https:\/\/securityintelligence.com\/posts\/ta505-continues-to-infect-networks-with-sdbbot-rat\/", "stamp": "2020-04-14 10:00:27", "primary": 1 }, { "title": "Dridex targets MacOS users with a new delivery technique", "channel": "Reddit - \/r\/InfoSecNews", "icon": "https:\/\/www.redditstatic.com\/desktop2x\/img\/favicon\/apple-icon-57x57.png", "link": "https:\/\/www.reddit.com\/r\/InfoSecNews\/comments\/106ux4r\/dridex_targets_macos_users_with_a_new_delivery\/", "stamp": "2023-01-08 21:30:47", "primary": 0 }, { "title": "Dridex targets MacOS users with a new delivery technique", "channel": "Security Affairs", "icon": "https:\/\/securityaffairs.co\/favicon.ico", "link": "https:\/\/securityaffairs.com\/140488\/malware\/dridex-banking-malware-macos.html", "stamp": "2023-01-08 14:32:15", "primary": 0 }, { "title": "Dridex Returns, Targets MacOS Using New Entry Method", "channel": "Reddit - \/r\/blueteamsec", "icon": "https:\/\/www.redditstatic.com\/desktop2x\/img\/favicon\/apple-icon-57x57.png", "link": "https:\/\/www.reddit.com\/r\/blueteamsec\/comments\/105xi97\/dridex_returns_targets_macos_using_new_entry\/", "stamp": "2023-01-07 19:35:18", "primary": 0 }, { "title": "Dridex malware pops back up and turns its attention to macOS", "channel": "The Register", "icon": "https:\/\/www.theregister.com\/design_picker\/4ee431b84ac2d23c13376f753522acd7ecbb9b47\/graphics\/favicons\/apple-touch-icon.png", "link": "https:\/\/go.theregister.com\/feed\/www.theregister.com\/2023\/01\/06\/dridex_macos_microsoft_malware\/", "stamp": "2023-01-06 15:30:06", "primary": 0 }, { "title": "Dridex Malware Now Attacking macOS Systems with Novel Infection Method", "channel": "The Hacker News", "icon": "https:\/\/thehackernews.com\/favicon.ico", "link": "https:\/\/thehackernews.com\/2023\/01\/dridex-malware-now-attacking-macos.html", "stamp": "2023-01-06 13:46:00", "primary": 0 }, { "title": "User Documents Overwritten With Malicious Code in Recent Dridex Attacks on macOS", "channel": "SecurityWeek", "icon": "https:\/\/www.securityweek.com\/sites\/default\/files\/securityweek_favicon.ico", "link": "https:\/\/www.securityweek.com\/user-documents-overwritten-malicious-code-recent-dridex-attacks-macos", "stamp": "2023-01-06 12:19:00", "primary": 0 }, { "title": "Dridex Returns, Targets MacOS Using New Entry Method", "channel": "TrendMicro - Simply Security", "icon": "https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/favicon.ico", "link": "https:\/\/www.trendmicro.com\/en_us\/research\/23\/a\/-dridex-targets-macos-using-new-entry-method.html", "stamp": "2023-01-05 00:00:00", "primary": 0 }, { "title": "New Evidence Links Raspberry Robin Malware to Dridex and Russian Evil Corp Hackers", "channel": "The Hacker News", "icon": "https:\/\/thehackernews.com\/favicon.ico", "link": "https:\/\/thehackernews.com\/2022\/09\/new-evidence-links-raspberry-robin.html", "stamp": "2022-09-02 07:00:00", "primary": 0 }, { "title": "Raspberry Robin and Dridex: Two Birds of a Feather", "channel": "Reddit - \/r\/blueteamsec", "icon": "https:\/\/www.redditstatic.com\/desktop2x\/img\/favicon\/apple-icon-57x57.png", "link": "https:\/\/www.reddit.com\/r\/blueteamsec\/comments\/x3f1s2\/raspberry_robin_and_dridex_two_birds_of_a_feather\/", "stamp": "2022-09-01 18:37:11", "primary": 0 }, { "title": "Raspberry Robin and Dridex: Two Birds of a Feather", "channel": "SecurityIntelligence", "icon": "https:\/\/securityintelligence.com\/wp-content\/themes\/sapphire\/images\/favicon.ico", "link": "https:\/\/securityintelligence.com\/posts\/raspberry-robin-worm-dridex-malware\/", "stamp": "2022-09-01 16:20:00", "primary": 0 }, { "title": "VehApiResolve: Inspired by Dridex Loader's 32 bit API obfuscation - uses Vectored Exception Handlers on Windows (the hook for detection) to resolve APIs to avoid EDR detection", "channel": "Reddit - \/r\/blueteamsec", "icon": "https:\/\/www.redditstatic.com\/desktop2x\/img\/favicon\/apple-icon-57x57.png", "link": "https:\/\/www.reddit.com\/r\/blueteamsec\/comments\/wi91k4\/vehapiresolve_inspired_by_dridex_loaders_32_bit\/", "stamp": "2022-08-07 06:33:17", "primary": 0 }, { "title": "Crooks are using RIG Exploit Kit to push Dridex instead of Raccoon stealer", "channel": "Reddit - \/r\/InfoSecNews", "icon": "https:\/\/www.redditstatic.com\/desktop2x\/img\/favicon\/apple-icon-57x57.png", "link": "https:\/\/www.reddit.com\/r\/InfoSecNews\/comments\/vi3a6a\/crooks_are_using_rig_exploit_kit_to_push_dridex\/", "stamp": "2022-06-22 11:45:16", "primary": 0 }, { "title": "Crooks are using RIG Exploit Kit to push Dridex instead of Raccoon stealer", "channel": "Security Affairs", "icon": "https:\/\/securityaffairs.co\/favicon.ico", "link": "https:\/\/securityaffairs.co\/wordpress\/132498\/malware\/rig-exploit-kit-dridex.html", "stamp": "2022-06-22 09:21:23", "primary": 0 }, { "title": "RIG Exploit Kit Now Infects Victims' PCs With Dridex Instead of Raccoon Stealer", "channel": "The Hacker News", "icon": "https:\/\/thehackernews.com\/favicon.ico", "link": "https:\/\/thehackernews.com\/2022\/06\/rig-exploit-kit-now-infects-victims-pcs.html", "stamp": "2022-06-22 05:41:58", "primary": 0 }, { "title": "RIG Exploit Kit Replaces Raccoon Stealer Trojan With Dridex", "channel": "DarkReading", "icon": "https:\/\/www.darkreading.com\/favicon.ico", "link": "https:\/\/www.darkreading.com\/attacks-breaches\/rig-exploit-kit-replaces-raccoon-stealer-trojan-with-dridex", "stamp": "2022-06-21 20:35:30", "primary": 0 }, { "title": "ASyncRat surpasses Dridex, TrickBot and Emotet to become dominant email threat", "channel": "Malwarebytes Labs", "icon": "https:\/\/blog.malwarebytes.com\/wp-content\/themes\/mb-labs-theme\/images\/favicon\/apple-touch-icon-57x57.png", "link": "https:\/\/blog.malwarebytes.com\/threat-analysis\/2022\/06\/asyncrat-surpasses-dridex-trickbot-and-emotet-to-become-dominant-email-threat\/", "stamp": "2022-06-09 14:18:13", "primary": 0 }, { "title": "Weaponization of Excel Add-Ins Part 2: Dridex Infection Chain Case Studies", "channel": "Reddit - \/r\/InfoSecNews", "icon": "https:\/\/www.redditstatic.com\/desktop2x\/img\/favicon\/apple-icon-57x57.png", "link": "https:\/\/www.reddit.com\/r\/InfoSecNews\/comments\/utqg3m\/weaponization_of_excel_addins_part_2_dridex\/", "stamp": "2022-05-20 09:45:50", "primary": 0 }, { "title": "Weaponization of Excel Add-Ins Part 2: Dridex Infection Chain Case Studies", "channel": "Unit 42 - Palo Alto Networks", "icon": "https:\/\/unit42.paloaltonetworks.com\/wp-content\/themes\/unit42-v5\/favicon\/icon-Unit42-180x180.png", "link": "https:\/\/unit42.paloaltonetworks.com\/excel-add-ins-dridex-infection-chain\/", "stamp": "2022-05-19 19:00:52", "primary": 0 }, { "title": "Sophos linked Entropy ransomware to Dridex malware. Are both linked to Evil Corp?", "channel": "Reddit - \/r\/InfoSecNews", "icon": "https:\/\/www.redditstatic.com\/desktop2x\/img\/favicon\/apple-icon-57x57.png", "link": "https:\/\/www.reddit.com\/r\/InfoSecNews\/comments\/t0noe9\/sophos_linked_entropy_ransomware_to_dridex\/", "stamp": "2022-02-24 22:45:18", "primary": 0 }, { "title": "Dridex bots deliver Entropy ransomware in recent attacks", "channel": "Reddit - \/r\/blueteamsec", "icon": "https:\/\/www.redditstatic.com\/desktop2x\/img\/favicon\/apple-icon-57x57.png", "link": "https:\/\/www.reddit.com\/r\/blueteamsec\/comments\/szn380\/dridex_bots_deliver_entropy_ransomware_in_recent\/", "stamp": "2022-02-23 17:37:02", "primary": 0 }, { "title": "Sophos linked Entropy ransomware to Dridex malware. Are both linked to Evil Corp?", "channel": "Security Affairs", "icon": "https:\/\/securityaffairs.co\/favicon.ico", "link": "https:\/\/securityaffairs.co\/wordpress\/128323\/cyber-crime\/entropy-ransomware-dridex-link.html?utm_source=rss&utm_medium=rss&utm_campaign=entropy-ransomware-dridex-link", "stamp": "2022-02-23 15:57:05", "primary": 0 }, { "title": "Entropy ransomware linked to Dridex malware downloader", "channel": "Bleeping Computer", "icon": "https:\/\/www.bleepstatic.com\/favicon\/bleeping.ico", "link": "https:\/\/www.bleepingcomputer.com\/news\/security\/entropy-ransomware-linked-to-dridex-malware-downloader\/", "stamp": "2022-02-23 13:34:17", "primary": 0 }, { "title": "Entropy ransomware linked to Evil Corp's Dridex malware", "channel": "Bleeping Computer", "icon": "https:\/\/www.bleepstatic.com\/favicon\/bleeping.ico", "link": "https:\/\/www.bleepingcomputer.com\/news\/security\/entropy-ransomware-linked-to-evil-corps-dridex-malware\/", "stamp": "2022-02-23 13:34:17", "primary": 0 }, { "title": "Dridex Malware Deploying Entropy Ransomware on Hacked Computers", "channel": "The Hacker News", "icon": "https:\/\/thehackernews.com\/favicon.ico", "link": "https:\/\/thehackernews.com\/2022\/02\/dridex-malware-deploying-entropy.html", "stamp": "2022-02-23 13:01:46", "primary": 0 }, { "title": "Omicron-themed phishing attacks spread Dridex and taunt with funeral helpline", "channel": "Reddit - \/r\/InfoSecNews", "icon": "https:\/\/www.redditstatic.com\/desktop2x\/img\/favicon\/apple-icon-57x57.png", "link": "https:\/\/www.reddit.com\/r\/InfoSecNews\/comments\/rp6kli\/omicronthemed_phishing_attacks_spread_dridex_and\/", "stamp": "2021-12-26 21:45:27", "primary": 0 }, { "title": "Dridex affiliate dresses up as Scrooge", "channel": "Reddit - \/r\/blueteamsec", "icon": "https:\/\/www.redditstatic.com\/desktop2x\/img\/favicon\/apple-icon-57x57.png", "link": "https:\/\/www.reddit.com\/r\/blueteamsec\/comments\/rngypn\/dridex_affiliate_dresses_up_as_scrooge\/", "stamp": "2021-12-24 07:26:01", "primary": 0 }, { "title": "Dridex affiliate dresses up as Scrooge", "channel": "Malwarebytes Labs", "icon": "https:\/\/blog.malwarebytes.com\/wp-content\/themes\/mb-labs-theme\/images\/favicon\/apple-touch-icon-57x57.png", "link": "https:\/\/blog.malwarebytes.com\/threat-intelligence\/2021\/12\/dridex-affiliate-dresses-up-as-scrooge\/", "stamp": "2021-12-23 23:36:15", "primary": 0 }, { "title": "DRIDEX: Analysing API Obfuscation Through VEH", "channel": "Reddit - \/r\/blueteamsec", "icon": "https:\/\/www.redditstatic.com\/desktop2x\/img\/favicon\/apple-icon-57x57.png", "link": "https:\/\/www.reddit.com\/r\/blueteamsec\/comments\/qyytm2\/dridex_analysing_api_obfuscation_through_veh\/", "stamp": "2021-11-21 16:42:58", "primary": 0 }, { "title": "Proofpoint unearths the use of Squid Game as lure by TA575 to distribute Dridex malware \u2013 ITP.net", "channel": "Proofpoint", "icon": "https:\/\/www.darkreading.com\/favicon.ico", "link": "https:\/\/www.proofpoint.com\/us\/newsroom\/news\/proofpoint-unearths-use-squid-game-lure-ta575-distribute-dridex-malware-itpnet", "stamp": "2021-11-07 12:40:18", "primary": 0 }, { "title": "Reverse Engineering Dridex", "channel": "Curated Intelligence", "icon": null, "link": "https:\/\/www.curatedintel.org\/2021\/10\/reverse-engineering-dridex.html", "stamp": "2021-10-31 12:32:07", "primary": 0 }, { "title": "2021-10-13 - Malspam-based Dridex activity", "channel": "Malware-Traffic-Analysis.net", "icon": null, "link": "https:\/\/www.malware-traffic-analysis.net\/2021\/10\/13\/index.html", "stamp": "2021-10-29 00:48:00", "primary": 0 }, { "title": "D3T3CT to PRoT3CT\u200a\u2014\u200aDridex Malware", "channel": "Medium - Cybersecurity", "icon": "https:\/\/medium.com\/favicon.ico", "link": "https:\/\/medium.com\/@adithyachandra\/d3t3ct-to-prot3ct-dridex-malware-1b3df709ed85?source=rss------cybersecurity-5", "stamp": "2021-10-14 12:01:37", "primary": 0 }, { "title": "New Dridex Variant Being Spread By Crafted Excel Document", "channel": "Reddit - \/r\/blueteamsec", "icon": "https:\/\/www.redditstatic.com\/desktop2x\/img\/favicon\/apple-icon-57x57.png", "link": "https:\/\/www.reddit.com\/r\/blueteamsec\/comments\/pmoybc\/new_dridex_variant_being_spread_by_crafted_excel\/", "stamp": "2021-09-12 08:28:21", "primary": 0 }, { "title": "New Dridex Variant Being Spread By Crafted Excel Document", "channel": "Fortinet - Threat Research", "icon": "https:\/\/www.fortinet.com\/etc\/designs\/fortinet-blog\/favicon.ico", "link": "http:\/\/feedproxy.google.com\/~r\/fortinet\/blog\/threat-research\/~3\/mcw0D7N48PE\/new-dridex-variant-being-spread-by-crafted-excel-document", "stamp": "2021-09-10 07:00:00", "primary": 0 }, { "title": "When Dridex and Cobalt Strike give you Grief", "channel": "Red Canary", "icon": "https:\/\/redcanary.com\/wp-content\/themes\/redcanary\/assets\/img\/favicon.ico", "link": "https:\/\/redcanary.com\/blog\/grief-ransomware\/", "stamp": "2021-08-05 16:59:08", "primary": 0 }, { "title": "$4,000 COVID-19 \u2018Relief Checks\u2019 Cloak Dridex Malware", "channel": "Threatpost", "icon": "https:\/\/threatpost.com\/wp-content\/themes\/threatpost-2018\/assets\/images\/favicon\/apple-touch-icon.png", "link": "https:\/\/threatpost.com\/covid-19-relief-checks-dridex-malware\/164853\/", "stamp": "2021-03-17 17:04:27", "primary": 0 }, { "title": "\u201cAmerican Rescue Plan\u201d Used as Theme in Phishing Lures Dropping Dridex", "channel": "Cofense Blog", "icon": null, "link": "https:\/\/cofensestaging.wpengine.com\/blog\/american-rescue-plan-phish\/", "stamp": "2021-03-16 14:00:03", "primary": 0 }, { "title": "\u201cAmerican Rescue Plan\u201d Used as Theme in Phishing Lures Dropping Dridex", "channel": "Cofense Blog", "icon": "https:\/\/qhf0l1i8l8u25b2354fr8h39-wpengine.netdna-ssl.com\/wp-content\/uploads\/2018\/02\/cropped-Cofense-Favicon_512x512.png", "link": "https:\/\/cofense.com\/blog\/american-rescue-plan-phish\/", "stamp": "2021-03-16 14:00:03", "primary": 0 }, { "title": "Dridex Campaign Propelled by Cutwail Botnet and Poisonous PowerShell Scripts", "channel": "SecurityIntelligence", "icon": "https:\/\/securityintelligence.com\/wp-content\/themes\/sapphire\/images\/favicon.ico", "link": "https:\/\/securityintelligence.com\/posts\/dridex-campaign-propelled-by-cutwail-botnet-and-powershell\/", "stamp": "2021-03-11 16:53:19", "primary": 0 }, { "title": "Dridex Campaign Propelled by Cutwail Botnet and Poisonous PowerShell Scripts", "channel": "SecurityIntelligence", "icon": "https:\/\/securityintelligence.com\/wp-content\/themes\/sapphire\/images\/favicon.ico", "link": "https:\/\/securityintelligence.com\/dridex-campaign-propelled-by-cutwail-botnet-and-powershell\/", "stamp": "2021-03-11 16:53:19", "primary": 0 }, { "title": "2020-12-24 (Thursday) - Dridex infection example", "channel": "Malware-Traffic-Analysis.net", "icon": "https:\/\/www.malware-traffic-analysis.net\/favicon.ico", "link": "https:\/\/www.malware-traffic-analysis.net\/2020\/12\/24\/index.html", "stamp": "2020-12-28 00:09:00", "primary": 0 }, { "title": "Amazon Gift Card Scam Delivers Dridex This Holiday Season", "channel": "Reddit - \/r\/InfoSecNews", "icon": "https:\/\/www.redditstatic.com\/icon.png", "link": "https:\/\/www.reddit.com\/r\/InfoSecNews\/comments\/kjyj92\/amazon_gift_card_scam_delivers_dridex_this\/", "stamp": "2020-12-25 12:49:16", "primary": 0 }, { "title": "Amazon Gift Card Scam Delivers Dridex This Holiday Season", "channel": "DarkReading", "icon": "https:\/\/img.deusm.com\/darkreading\/favicon.ico", "link": "https:\/\/www.darkreading.com\/threat-intelligence\/amazon-gift-card-scam-delivers-dridex-this-holiday-season\/d\/d-id\/1339810?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple", "stamp": "2020-12-24 17:40:00", "primary": 0 }, { "title": "Hundreds of URLs Inside Microsoft Excel Spreads New Dridex Trojan Variant", "channel": "Fortinet - Threat Research", "icon": "https:\/\/www.fortinet.com\/content\/dam\/fortinet\/images\/icons\/seo\/appicon-192.png", "link": "http:\/\/feedproxy.google.com\/~r\/fortinet\/blog\/threat-research\/~3\/hc-wPQNJS5Y\/hundreds-of-urls-inside-microsoft-excel-spreads-new-dridex-trojan-variant", "stamp": "2020-08-14 07:00:00", "primary": 0 }, { "title": "Dridex \u2013 From Word to Domain Dominance", "channel": "\/r\/netsec - Information Security News & Discussion", "icon": "https:\/\/www.redditstatic.com\/icon.png", "link": "https:\/\/www.reddit.com\/r\/netsec\/comments\/i2y9xq\/dridex_from_word_to_domain_dominance\/", "stamp": "2020-08-03 14:45:16", "primary": 0 }, { "title": "Dridex - From Word to Domain Dominance", "channel": "\/r\/netsec - Information Security News & Discussion", "icon": "https:\/\/www.redditstatic.com\/icon.png", "link": "https:\/\/www.reddit.com\/r\/netsec\/comments\/i2vyeq\/dridex_from_word_to_domain_dominance\/", "stamp": "2020-08-03 12:14:17", "primary": 0 }, { "title": "Dridex \u2013 From Word to Domain Dominance", "channel": "The DFIR Report", "icon": "https:\/\/thedfirreport.com\/wp-content\/uploads\/2020\/04\/cropped-dfir-v1-w-32x32.png", "link": "https:\/\/thedfirreport.com\/2020\/08\/03\/dridex-from-word-to-domain-dominance\/", "stamp": "2020-08-03 10:19:10", "primary": 0 }, { "title": "2020-07-13 - Dridex infection", "channel": "Malware-Traffic-Analysis.net - Blog Entries", "icon": "https:\/\/www.malware-traffic-analysis.net\/favicon.ico", "link": "https:\/\/www.malware-traffic-analysis.net\/2020\/07\/13\/index2.html", "stamp": "2020-07-13 23:08:00", "primary": 0 }, { "title": "2020-05-14 - Quick post: FedEx-themed Dridex malspam and infection", "channel": "Malware-Traffic-Analysis.net - Blog Entries", "icon": "https:\/\/www.malware-traffic-analysis.net\/favicon.ico", "link": "https:\/\/www.malware-traffic-analysis.net\/2020\/05\/14\/index2.html", "stamp": "2020-05-15 22:17:00", "primary": 0 }, { "title": "2020-05-12 - Pcap and malware for an ISC diary (Dridex)", "channel": "Malware-Traffic-Analysis.net - Blog Entries", "icon": "https:\/\/www.malware-traffic-analysis.net\/favicon.ico", "link": "https:\/\/www.malware-traffic-analysis.net\/2020\/05\/12\/index.html", "stamp": "2020-05-12 23:00:00", "primary": 0 }, { "title": "2020-05-11 - Dridex infection from link-based malspam", "channel": "Malware-Traffic-Analysis.net - Blog Entries", "icon": "https:\/\/www.malware-traffic-analysis.net\/favicon.ico", "link": "https:\/\/www.malware-traffic-analysis.net\/2020\/05\/11\/index.html", "stamp": "2020-05-11 22:12:00", "primary": 0 }, { "title": "2020-04-30 - Password-protected zip files from German malspam push Dridex", "channel": "Malware-Traffic-Analysis.net - Blog Entries", "icon": "https:\/\/www.malware-traffic-analysis.net\/favicon.ico", "link": "https:\/\/www.malware-traffic-analysis.net\/2020\/04\/30\/index.html", "stamp": "2020-04-30 22:38:00", "primary": 0 }, { "title": "2020-04-29 - Dridex from link-based malspam", "channel": "Malware-Traffic-Analysis.net - Blog Entries", "icon": "https:\/\/www.malware-traffic-analysis.net\/favicon.ico", "link": "https:\/\/www.malware-traffic-analysis.net\/2020\/04\/29\/index.html", "stamp": "2020-04-30 01:48:00", "primary": 0 }, { "title": "2020-04-28 - Quick post: Dridex malspam and infection", "channel": "Malware-Traffic-Analysis.net - Blog Entries", "icon": "https:\/\/www.malware-traffic-analysis.net\/favicon.ico", "link": "https:\/\/www.malware-traffic-analysis.net\/2020\/04\/28\/index.html", "stamp": "2020-04-28 22:32:00", "primary": 0 }, { "title": "2020-04-27 - Quick post: Dridex malspam and infection", "channel": "Malware-Traffic-Analysis.net - Blog Entries", "icon": "https:\/\/www.malware-traffic-analysis.net\/favicon.ico", "link": "https:\/\/www.malware-traffic-analysis.net\/2020\/04\/27\/index.html", "stamp": "2020-04-27 22:09:00", "primary": 0 }, { "title": "2019-12-11 - Ursnif infection with Dridex", "channel": "Malware-Traffic-Analysis.net - Blog Entries", "icon": "https:\/\/www.malware-traffic-analysis.net\/favicon.ico", "link": "https:\/\/www.malware-traffic-analysis.net\/2019\/12\/11\/index.html", "stamp": "2019-12-11 21:35:00", "primary": 0 }, { "title": "US authorities charged Dridex gang members for stealing over $100 Million", "channel": "Information Security News", "icon": "https:\/\/www.redditstatic.com\/icon.png", "link": "https:\/\/www.reddit.com\/r\/InfoSecNews\/comments\/e7svuf\/us_authorities_charged_dridex_gang_members_for\/", "stamp": "2019-12-08 11:51:05", "primary": 0 }, { "title": "FBI Puts $5 Million Bounty On Russian Hackers Behind Dridex Banking Malware", "channel": "The Hacker News", "icon": "https:\/\/thehackernews.com\/favicon.ico", "link": "http:\/\/feedproxy.google.com\/~r\/TheHackersNews\/~3\/1WyJhMjf7As\/dridex-russian-hackers-wanted-by-fbi.html", "stamp": "2019-12-05 18:29:17", "primary": 0 }, { "title": "Feds Offer $5M Reward to Nab \u2018Evil Corp\u2019 Dridex Hacker", "channel": "Threatpost", "icon": "http:\/\/traffic.libsyn.com\/digitalunderground\/BENNETT_FINAL.mp3", "link": "https:\/\/threatpost.com\/feds-5m-reward-evil-corp-dridex-hacker\/150858\/", "stamp": "2019-12-05 17:55:43", "primary": 0 }, { "title": "Dridex Malware", "channel": "CISA All NCAS Products", "icon": "https:\/\/www.us-cert.gov\/favicon.ico", "link": "https:\/\/www.us-cert.gov\/ncas\/alerts\/aa19-339a", "stamp": "2019-12-05 14:13:48", "primary": 0 }, { "title": "2019-12-02 - Pcap and malware for an ISC diary (Ursnif infection with Dridex)", "channel": "Malware-Traffic-Analysis.net - Blog Entries", "icon": "https:\/\/www.malware-traffic-analysis.net\/favicon.ico", "link": "https:\/\/www.malware-traffic-analysis.net\/2019\/12\/02\/index.html", "stamp": "2019-12-03 01:12:00", "primary": 0 }, { "title": "2019-11-27 - Dridex infection from malspam", "channel": "Malware-Traffic-Analysis.net - Blog Entries", "icon": "https:\/\/www.malware-traffic-analysis.net\/favicon.ico", "link": "https:\/\/www.malware-traffic-analysis.net\/2019\/11\/27\/index.html", "stamp": "2019-11-27 17:05:00", "primary": 0 }, { "title": "2019-11-25 - Urnsif infection with Dridex", "channel": "Malware-Traffic-Analysis.net - Blog Entries", "icon": "https:\/\/www.malware-traffic-analysis.net\/favicon.ico", "link": "https:\/\/www.malware-traffic-analysis.net\/2019\/11\/25\/index2.html", "stamp": "2019-11-25 21:44:00", "primary": 0 }, { "title": "2019-11-06 - Data dump: Italian Word doc --> Ursnif --> Dridex --> infected host acts as proxy", "channel": "Malware-Traffic-Analysis.net - Blog Entries", "icon": "https:\/\/www.malware-traffic-analysis.net\/favicon.ico", "link": "https:\/\/www.malware-traffic-analysis.net\/2019\/11\/06\/index.html", "stamp": "2019-11-09 01:00:00", "primary": 0 }, { "title": "2019-10-30 - Data dump: Three days of Ursnif infections with Dridex", "channel": "Malware-Traffic-Analysis.net - Blog Entries", "icon": "https:\/\/www.malware-traffic-analysis.net\/favicon.ico", "link": "https:\/\/www.malware-traffic-analysis.net\/2019\/10\/30\/index.html", "stamp": "2019-10-31 18:08:00", "primary": 0 }, { "title": "2019-07-12 - Dridex activity", "channel": "Malware-Traffic-Analysis.net - Blog Entries", "icon": "https:\/\/www.malware-traffic-analysis.net\/favicon.ico", "link": "https:\/\/www.malware-traffic-analysis.net\/2019\/07\/12\/index.html", "stamp": "2019-07-12 17:05:00", "primary": 0 }, { "title": "2019-07-09 - Malspam with password-protected Word doc pushes Dridex", "channel": "Malware-Traffic-Analysis.net - Blog Entries", "icon": "https:\/\/www.malware-traffic-analysis.net\/favicon.ico", "link": "https:\/\/www.malware-traffic-analysis.net\/2019\/07\/09\/index.html", "stamp": "2019-07-09 23:59:00", "primary": 0 }, { "title": "Double Duty: Dridex Banking Malware Delivered with RMS RAT", "channel": "Cofense", "icon": "https:\/\/cofense.com\/wp-content\/uploads\/2018\/02\/cropped-Cofense-Favicon_512x512-32x32.png", "link": "https:\/\/cofense.com\/double-duty-dridex-banking-malware-delivered-rms-rat\/", "stamp": "2019-07-08 17:20:41", "primary": 0 }, { "title": "2019-07-08 - Quick post: Ursnif infection with Dridex and Powershell Empire", "channel": "Malware-Traffic-Analysis.net - Blog Entries", "icon": "https:\/\/www.malware-traffic-analysis.net\/favicon.ico", "link": "https:\/\/www.malware-traffic-analysis.net\/2019\/07\/08\/index.html", "stamp": "2019-07-08 08:25:00", "primary": 0 }, { "title": "New variant of Dridex banking Trojan implements polymorphism", "channel": "Information Security News", "icon": "https:\/\/www.redditstatic.com\/icon.png", "link": "https:\/\/www.reddit.com\/r\/InfoSecNews\/comments\/c7zcby\/new_variant_of_dridex_banking_trojan_implements\/", "stamp": "2019-07-01 20:01:16", "primary": 0 }, { "title": "2019-06-18 - Pcap and malware for an ISC diary (Dridex)", "channel": "Malware-Traffic-Analysis.net - Blog Entries", "icon": "https:\/\/www.malware-traffic-analysis.net\/favicon.ico", "link": "https:\/\/www.malware-traffic-analysis.net\/2019\/06\/18\/index.html", "stamp": "2019-06-18 04:12:00", "primary": 0 }, { "title": "2019-05-03 - Quick post: Ursnif infections with Dridex or Nymaim", "channel": "Malware-Traffic-Analysis.net - Blog Entries", "icon": "https:\/\/www.malware-traffic-analysis.net\/favicon.ico", "link": "https:\/\/www.malware-traffic-analysis.net\/2019\/05\/03\/index.html", "stamp": "2019-05-03 23:45:00", "primary": 0 }, { "title": "2019-03-29 - Quick post: malspam using password-protected word docs pushes Dridex", "channel": "Malware-Traffic-Analysis.net - Blog Entries", "icon": "https:\/\/www.malware-traffic-analysis.net\/favicon.ico", "link": "https:\/\/www.malware-traffic-analysis.net\/2019\/03\/29\/index.html", "stamp": "2019-03-29 23:15:00", "primary": 0 }, { "title": "proofpoint: Dridex\/Locky Operator Uses New RAT in Recent Campaigns. https:\/\/t.co\/IL1D8j9UAA via SecurityWeek https:\/\/t.co\/QjnMhvpQC7", "channel": "Proofpoint", "icon": "https:\/\/www.proofpoint.com\/sites\/all\/themes\/proofpoint\/favicon.ico", "link": "https:\/\/www.proofpoint.com\/us\/proofpoint-dridexlocky-operator-uses-new-rat-recent-campaigns-httpstcoil1d8j9uaa-securityweek-1", "stamp": "2019-01-22 16:55:08", "primary": 0 }, { "title": "proofpoint: Dridex\/Locky Operator Uses New RAT in Recent Campaigns. https:\/\/t.co\/IL1D8j9UAA via @SecurityWeek https:\/\/t.co\/LTUVQs8LuT", "channel": "Proofpoint", "icon": "https:\/\/www.proofpoint.com\/sites\/all\/themes\/proofpoint\/favicon.ico", "link": "https:\/\/www.proofpoint.com\/us\/proofpoint-dridexlocky-operator-uses-new-rat-recent-campaigns-httpstcoil1d8j9uaa-securityweek-0", "stamp": "2019-01-17 16:55:10", "primary": 0 }, { "title": "URSNIF, EMOTET, DRIDEX and BitPaymer Gangs Linked by a Similar Loader", "channel": "\/r\/netsec - Information Security News & Discussion", "icon": "https:\/\/www.redditstatic.com\/icon.png", "link": "https:\/\/www.reddit.com\/r\/netsec\/comments\/a7epp3\/ursnif_emotet_dridex_and_bitpaymer_gangs_linked\/", "stamp": "2018-12-18 20:11:09", "primary": 0 }, { "title": "2018-12-10 - Quick post: Ursnif infection with Dridex", "channel": "Malware-Traffic-Analysis.net - Blog Entries", "icon": "https:\/\/www.malware-traffic-analysis.net\/favicon.ico", "link": "https:\/\/www.malware-traffic-analysis.net\/2018\/12\/10\/index4.html", "stamp": "2018-12-10 23:54:00", "primary": 0 }, { "title": "2018-11-27 - Ursnif infection with Dridex", "channel": "Malware-Traffic-Analysis.net - Blog Entries", "icon": "https:\/\/www.malware-traffic-analysis.net\/favicon.ico", "link": "https:\/\/www.malware-traffic-analysis.net\/2018\/11\/27\/index.html", "stamp": "2018-11-27 18:26:00", "primary": 0 }, { "title": "2018-11-21 - Ursnif infection with Dridex", "channel": "Malware-Traffic-Analysis.net - Blog Entries", "icon": "https:\/\/www.malware-traffic-analysis.net\/favicon.ico", "link": "https:\/\/www.malware-traffic-analysis.net\/2018\/11\/21\/index.html", "stamp": "2018-11-22 03:15:00", "primary": 0 }, { "title": "2018-07-04 and 05 - fake updater traffic (Chthonic, Dridex, and NetSupport RAT)", "channel": "Malware-Traffic-Analysis.net - Blog Entries", "icon": ".\/img\/heart_transparent.png", "link": "https:\/\/www.malware-traffic-analysis.net\/2018\/07\/05\/index.html", "stamp": "2018-07-06 13:41:00", "primary": 0 }, { "title": "2018-02-05 - Malspam using PDF attachments to push Dridex since 2018-01-30", "channel": "Malware-Traffic-Analysis.net - Blog Entries", "icon": ".\/img\/heart_transparent.png", "link": "https:\/\/www.malware-traffic-analysis.net\/2018\/02\/05\/index.html", "stamp": "2018-02-06 00:18:00", "primary": 0 }, { "title": "2018-01-25 - Quick post: Dridex malspam", "channel": "Malware-Traffic-Analysis.net - Blog Entries", "icon": ".\/img\/heart_transparent.png", "link": "https:\/\/www.malware-traffic-analysis.net\/2018\/01\/25\/index.html", "stamp": "2018-01-25 23:39:00", "primary": 0 }, { "title": "Feodo - A new botnet on the rise", "channel": "Threat Research", "icon": "https:\/\/www.fireeye.com\/content\/dam\/framework\/touch-icon-iphone-60.png", "link": "http:\/\/www.fireeye.com\/blog\/threat-research\/2010\/10\/feodosoff-a-new-botnet-on-the-rise.html", "stamp": "2010-10-21 10:49:16", "primary": 0 } ], "comments": [], "summary": { "attributes": { "port": { "443": { "aid": 4, "indicators": 186 }, "53": { "indicators": 148, "aid": 22028 }, "22": { "aid": 22027, "indicators": 31 }, "25": { "aid": 22033, "indicators": 13 }, "3389": { "aid": 29778, "indicators": 10 }, "8080": { "indicators": 58, "aid": 17 }, "139": { "aid": 11229654, "indicators": 6 }, "993": { "aid": 29782, "indicators": 6 }, "80": { "aid": 6, "indicators": 184 }, "21": { "aid": 10345, "indicators": 6 } }, "technology": { "Ubuntu": { "indicators": 15, "aid": 65126 }, "OpenSSL": { "aid": 65104, "indicators": 8 }, "jQuery": { "indicators": 12, "aid": 65084 }, "Google Font API": { "aid": 65088, "indicators": 9 }, "Apache": { "indicators": 18, "aid": 65089 }, "CentOS": { "indicators": 8, "aid": 65173 }, "Let's Encrypt": { "aid": 16849799, "indicators": 10 }, "Bootstrap": { "aid": 65110, "indicators": 7 }, "PHP": { "aid": 65094, "indicators": 18 }, "Nginx": { "indicators": 35, "aid": 65095 } }, "protocol": { "RDP": { "indicators": 11, "aid": 198189 }, "SMTP": { "indicators": 15, "aid": 68150 }, "NETBIOS": { "indicators": 7, "aid": 11229653 }, "FTP": { "indicators": 9, "aid": 10344 }, "HTTP": { "aid": 5, "indicators": 184 }, "HTTPS": { "aid": 3, "indicators": 189 }, "IMAPS": { "aid": 198183, "indicators": 8 }, "DNS": { "aid": 1, "indicators": 157 }, "SSH": { "indicators": 35, "aid": 68151 } }, "hosttype": { "Name Server": { "indicators": 134, "aid": 18 }, "Subdomain": { "aid": 20, "indicators": 109 } } }, "updated_last_domain": "2026-01-16 18:26:50", "feeds": [ { "pricing": null, "indicators": 0, "organization": "MITRE", "fid": 70, "category": "general", "name": "MITRE ATT&CK Enterprise" }, { "category": "malware", "name": "Malware URLs", "fid": 63, "organization": "precisionsec", "indicators": 22, "pricing": "sponsored" }, { "category": "malware", "name": "Feodo Tracker", "fid": 31, "organization": "abuse.ch", "indicators": 6943, "pricing": "free" }, { "organization": "abuse.ch", "indicators": 41, "pricing": "free", "name": "SSL BL", "category": "malware", "fid": 9 }, { "organization": "abuse.ch", "indicators": 6452, "pricing": null, "category": "malware", "name": "Cridex IPs", "fid": 7 } ], "properties": {}, "risk": { "unknown": 46, "low": 18, "medium": 4, "high": 2, "critical": 4, "retired": 8799, "total": 9007, "none": 134 } } }