Botnet C&C

dridex

Brief

Dridex is a malware bot primarily used to steal user credentials for use in financial fraud. Dridex will steal user information such as banking information and credit card numbers and return that information back to its controllers.

Symptoms

Some possible symptoms include, but are not limited to:

  • Creation of an autostart entry in the Windows registry to ensure it runs on startup
  • Connections to known C&C IPs or a spike in Peer-to-Peer traffic, which may indicate Dridex attempting to retrieve additional commands or instructions
  • Delivery of files such as fake invoices, attachments, tracking information via email. These files attempt to fool users into opening them and are usually not from known addresses.

Analysis

Dridex has the ability to steal information in numerous ways including form injection into websites, stealing the contents of forms submitted to sites, and screenshot capturing.

Dridex often uses Microsoft Office-based macros to trick victims into installing the malware. Is it typically distributed via email and spam campaigns, which will contain the malicious macro.

Instructions

It is not recommended that any attempts to remove this malware be performed manually. Fortinet recommends that you remove this threat by running a complete scan of your system using FortiClient Endpoint Protection.