Dridex

Dridex
As Dridex
Trojan:Win32/Dridex (Microsoft)^[1]

Trojan.Dridex (Malwarebytes)^[2]

Trojan.Win64.DRIDEX.AD (Trend Micro)^[3]

W32/Dridex.ABA!tr (FortiGuard)^[4]
Dridex As Dridex Trojan:Win32/Dridex (Microsoft); Trojan.Dridex (Malwarebytes); Trojan.Win64.DRIDEX.AD (Trend Micro); W32/Dridex.ABA!tr (FortiGuard); ;
Type	Trojan
Subtype	Banking trojan
Authors	Necurs Maksim Yakubets

Dridex, also known as Bugat and Cridex, is a type of malware that specializes in stealing bank credentials through a system that utilizes macros from Microsoft Word.^[5]

It primarily targets Windows users who open malicious email attachments in Word or Excel, triggering macros that download Dridex and infect the system, exposing the user to banking theft.

Dridex is designed to steal banking information^[6] from infected machines and immediately launch fraudulent transactions. It installs a keyboard logger and performs injection attacks to capture sensitive data.

History

Dridex first appeared in 2012 as an evolution of the earlier Cridex and Bugat banking trojans. It incorporated elements of its predecessors’ code but introduced a peer-to-peer (P2P) communication architecture to enhance concealment and redundancy.^[7]

By 2015, it had become one of the most prevalent financial malware strains, particularly targeting banking credentials through email-based phishing campaigns and malicious macro-laden attachments.^[7] That year, theft attributed to Dridex was estimated at £20 million in the United Kingdom and $10 million in the United States, with attacks reported in more than 20 countries. In early September 2016, researchers observed the malware beginning to target cryptocurrency wallets.^[8]

In 2017, Dridex was distributed through a widespread phishing campaign that exploited a Microsoft Word zero-day vulnerability. This method allowed infection without requiring users to enable macros and affected millions of users globally.^[9] Around the same time, newer versions of Dridex began exploiting a vulnerability in Microsoft Office and WordPad that allowed remote code execution.^[7]

In December 2019, US authorities filed charges against two suspects believed to have created the Dridex malware, including the group's alleged leader.^[10]

In 2022, IBM researchers found similarities between the Raspberry Robin worm and Dridex malware loaders. Their comparative analysis showed that both used similar string decoding algorithms, anti-analysis techniques, and payload decryption routines. IBM suggested that Evil Corp may be using Raspberry Robin infrastructure to carry out attacks.^[11]

Evil Corp

Evil Corp (also known as Dridex and INDRIK SPIDER), the group behind the Dridex malware, is a Russian hacking group that has been active since 2009.^[12] Evil Corp operated with a hierarchical structure similar to traditional organized crime groups rather than typical cybercriminal networks. Its leader, Maksim Yakubets, ran the operation out of Moscow with the involvement of family members, including his father, brother, and cousins. The group invested heavily in laundering operations and maintained a tight-knit internal culture, regularly socializing and vacationing together.^[13]

In 2019, the Federal Bureau of Investigation (FBI) named nine alleged members of the group, accusing them of extorting or stealing over $100,000,000 through hacks that affected 40 countries.^[14] That same year, the United States Department of the Treasury imposed sanctions on the group,^[15] and the Office of Foreign Assets Control (OFAC) banned individuals in the U.S. from engaging in transactions with them.^[16] People outside the US may be subject to secondary sanctions for facilitating significant transactions with the group.^[16] The US government also charged two members and offered a $5 million reward for information leading to their arrest.^[16]

As a result of the 2019 US and UK sanctions, Evil Corp was forced to alter its tactics. Facing increased scrutiny and legal risk, members abandoned online accounts, restricted their movements, and ceased using Dridex malware. The group adopted alternative access tools like SocGholish and began deploying a rotating set of ransomware strains, including WastedLocker and Hades, to conceal their identity and continue operations.^[13]

In November 2021, the BBC reported that two alleged leaders of Evil Corp were living openly in Russia.^[14]^[17] The following month, analysts at Emsisoft suggested that a ransomware attack initially attributed to REvil may have been the work of Evil Corp.^[16]

In June of 2022, cybersecurity firm Mandiant reported that Evil Corp had begun using off-the-shelf ransomware, such as LockBit, to disguise its identity and evade sanctions.^[16] Mandiant also linked the group to threat actor UNC2165.^[16]

Between 2022 and 2024, Evil Corp diversified its tactics and began affiliating with other ransomware groups, including LockBit. The group continued its use of SocGholish as its primary initial access tool. The UK’s National Crime Agency (NCA) identified Aleksandr Ryzhenkov, a senior figure in Evil Corp, as a LockBit affiliate involved in ransomware attacks. In February 2024, LockBit was disrupted by an international law enforcement operation led by the NCA, known as Operation Cronos. Some Evil Corp members remain active in Russia; in December 2022, Igor Turashev and his company placed third in a hackathon organized by the Wagner Group.^[13]

References

^ "Cyberthreats, viruses, and malware - Microsoft Security Intelligence". Microsoft.
^ "Trojan.Dridex".
^ "Search - Threat Encyclopedia".
^ "Fortiguard".
^ "Someone Hijacks Botnet Network & Replaces Malware with an Antivirus". 2016-02-04. Retrieved 2017-01-11.
^ Jeremy Kirk (2016-01-19). "Dridex banking malware adds a new trick". PCWorld. Retrieved 2017-01-11.
^ ^a ^b ^c "Dridex Malware". U.S. Cybersecurity and Infrastructure Security Agency (CISA). 30 June 2020. Retrieved 22 April 2025.
^ Catalin Cimpanu (2016-09-07). "Dridex Banking Trojan Will Soon Target Crypto-Currency Wallets". Softpedia. Retrieved 2017-01-11.
^ "Microsoft Word 0-day used to push dangerous Dridex malware on millions". Ars Technica. 11 April 2017. Retrieved 20 April 2025.
^ Cimpanu, Catalin (December 5, 2019). "US charges two members of the Dridex malware gang". ZDNet. Retrieved December 8, 2019.
^ "Raspberry Robin and Dridex: Two birds of a feather". IBM. 1 September 2022. Retrieved 20 April 2025.
^ Mujezinovic, Damir (2021-09-10). "Evil Corp: A Deep Dive Into One of the World's Most Notorious Hacker Groups". MakeUseOf. Archived from the original on 2021-09-10. Retrieved 2021-11-23.
^ ^a ^b ^c "Evil Corp: Behind the Screens". U.K. National Crime Agency (NCA). October 2024. Retrieved 21 April 2025.
^ ^a ^b Tidy, Joe (2021-11-17). "Evil Corp: 'My hunt for the world's most wanted hackers'". BBC News. Retrieved 2021-11-23.
^ "Treasury Sanctions Evil Corp, the Russia-Based Cybercriminal Group Behind Dridex Malware". U.S. Department of the Treasury. December 5, 2019. Archived from the original on 2019-12-05. Retrieved 2021-11-23.
^ ^a ^b ^c ^d ^e ^f Burt, Jeff (2022-06-03). "Even Russia's Evil Corp now favors software-as-a-service". The Register. Retrieved 2022-06-04.
^ White, Debbie (November 17, 2021). "Hackers accused of stealing $100m live openly in Russia". The Times. ISSN 0140-0460. Retrieved 2021-11-23.

[1] "Cyberthreats, viruses, and malware - Microsoft Security Intelligence". Microsoft.

[2] "Trojan.Dridex".

[3] "Search - Threat Encyclopedia".

[4] "Fortiguard".

[5] "Someone Hijacks Botnet Network & Replaces Malware with an Antivirus". 2016-02-04. Retrieved 2017-01-11.

[6] Jeremy Kirk (2016-01-19). "Dridex banking malware adds a new trick". PCWorld. Retrieved 2017-01-11.

[:2-7] "Dridex Malware". U.S. Cybersecurity and Infrastructure Security Agency (CISA). 30 June 2020. Retrieved 22 April 2025.

[8] Catalin Cimpanu (2016-09-07). "Dridex Banking Trojan Will Soon Target Crypto-Currency Wallets". Softpedia. Retrieved 2017-01-11.

[9] "Microsoft Word 0-day used to push dangerous Dridex malware on millions". Ars Technica. 11 April 2017. Retrieved 20 April 2025.

[10] Cimpanu, Catalin (December 5, 2019). "US charges two members of the Dridex malware gang". ZDNet. Retrieved December 8, 2019.

[11] "Raspberry Robin and Dridex: Two birds of a feather". IBM. 1 September 2022. Retrieved 20 April 2025.

[12] Mujezinovic, Damir (2021-09-10). "Evil Corp: A Deep Dive Into One of the World's Most Notorious Hacker Groups". MakeUseOf. Archived from the original on 2021-09-10. Retrieved 2021-11-23.

[:1-13] "Evil Corp: Behind the Screens". U.K. National Crime Agency (NCA). October 2024. Retrieved 21 April 2025.

[:0-14] Tidy, Joe (2021-11-17). "Evil Corp: 'My hunt for the world's most wanted hackers'". BBC News. Retrieved 2021-11-23.

[15] "Treasury Sanctions Evil Corp, the Russia-Based Cybercriminal Group Behind Dridex Malware". U.S. Department of the Treasury. December 5, 2019. Archived from the original on 2019-12-05. Retrieved 2021-11-23.

[tr-even-russias-evil-corp-favours-saas-16] ^ ^a ^b ^c ^d ^e ^f Burt, Jeff (2022-06-03). "Even Russia's Evil Corp now favors software-as-a-service". The Register. Retrieved 2022-06-04.

[17] White, Debbie (November 17, 2021). "Hackers accused of stealing $100m live openly in Russia". The Times. ISSN 0140-0460. Retrieved 2021-11-23.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

History

Evil Corp

See also

References