S0384: Dridex
Dridex is a prolific banking Trojan that first appeared in 2014. By December 2019, the US Treasury estimated Dridex had infected computers in hundreds of banks and financial institutions in over 40 countries, leading to more than $100 million in theft. Dridex was created from the source code of the Bugat banking Trojan (also known as Cridex).[1][2][3]
Analyst context for executives and security teams
Dridex matters because it represents mature Windows banking Trojan tradecraft with documented large-scale financial harm. For leaders, the key lesson is not only “malware on endpoints,” but whether the organization can detect and respond to credential/session theft, suspicious browser activity, encrypted web-based command-and-control, persistence through scheduled tasks, and abuse of legitimate Windows components before fraud or follow-on intrusion decisions escalate.
Executive priority
Prioritize Dridex-informed readiness where financial transactions, privileged browser sessions, and Windows endpoint integrity are business-critical. The ATT&CK record ties Dridex to banking theft at global scale and relationships with cybercriminal groups including TA505 and Indrik Spider; this supports using it as a control-validation scenario for SOC visibility, incident response playbooks, fraud response coordination, and audit evidence around endpoint monitoring, web traffic inspection, and identity/session protection.
Technical view
ATT&CK does not provide a dedicated detection section for Dridex, so defenders should validate coverage through the techniques linked to this malware. On Windows, focus on user-executed malicious files, scheduled task creation or modification, Regsvr32 proxy execution, DLL abuse, native API-driven execution patterns, browser session hijacking indicators, system and software discovery, and command-and-control over web protocols, proxies, multi-hop proxy behavior, and encrypted C2 using symmetric or asymmetric cryptography. Relationship context also supports monitoring for legitimate remote access tools used as command-and-control channels, while avoiding assumptions that any single RAT or web session is malicious without surrounding endpoint and network evidence.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Scheduled Task creation, modification, and execution records
- Regsvr32 execution and module/DLL load telemetry
- File creation, script/document execution, and malware quarantine events related to user-opened files
- Browser process behavior, injected modules, unusual session or web request activity
Detection direction
- Build detections around behavior chains rather than a Dridex name match: malicious file execution followed by discovery, persistence, browser interaction, and outbound web/proxy C2 is more decision-useful than any single event.
- Tune scheduled task and Regsvr32 detections for administrative noise; prioritize unusual parent processes, user context, unsigned or unexpected DLL paths, and newly created tasks on workstations.
- Validate that encrypted web traffic and proxy logs are retained with enough metadata to support triage, since ATT&CK links Dridex to web protocols, proxies, and cryptographic C2 techniques.
- Review browser-session and financial-application monitoring assumptions; browser session hijacking can reduce the value of password-only controls and may require endpoint context to investigate.
- Use the TA505 and Indrik Spider relationships as threat-intelligence context for campaign triage, but do not treat group association alone as attribution without incident-specific evidence.
Mitigation priorities
- Reduce successful initial execution by hardening handling of user-opened files and enforcing email/web controls appropriate to malicious file risk.
- Strengthen Windows endpoint controls around scheduled tasks, Regsvr32 abuse, DLL loading paths, and unauthorized remote access tools.
- Improve identity and session protection for high-risk financial and administrative workflows, including rapid response procedures for suspected browser/session compromise.
- Ensure SOC and IR teams can correlate endpoint, browser, proxy, DNS, and HTTP/S telemetry for a single Windows host and user.
- Maintain tested playbooks for suspected banking Trojan activity that include containment, credential/session review, fraud-response escalation, and evidence preservation.
Analyst notes and limits
The supplied ATT&CK object identifies Dridex as a prolific banking Trojan first appearing in 2014, derived from Bugat/Cridex source code, with U.S. Treasury reporting more than $100 million in theft and infections across banks and financial institutions in more than 40 countries by December 2019. ATT&CK relationships provide the most useful defensive detail: Dridex is linked to multiple execution, persistence, discovery, stealth, collection, and command-and-control techniques, and is used by TA505 and Indrik Spider according to the supplied relationship context.
ATT&CK provides no official detection text for this object, and the object-level tactics are not specified. The platform field supports Windows for Dridex, while some related techniques list broader platforms that should not be assumed applicable to this malware without local evidence. Defensive priorities should be validated against the organization’s actual Windows estate, logging coverage, financial workflows, and incident history.
Dridex
Dridex is a prolific banking Trojan that first appeared in 2014. By December 2019, the US Treasury estimated Dridex had infected computers in hundreds of banks and financial institutions in over 40 countries, leading to more than $100 million in theft. Dridex was created from the source code of the Bugat banking Trojan (also known as Cridex).[1][2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | Dridex has encrypted traffic with RC4.CitationKaspersky Dridex May 2017 |
| Enterprise | T1574.001 | DLL Sub-technique | Dridex can abuse legitimate Windows executables to side-load malicious DLL files.CitationRed Canary Dridex Threat Report 2021 |
| Enterprise | T1219 | Remote Access Tools | Dridex contains a module for VNC.CitationDell Dridex Oct 2015 |
| Enterprise | T1106 | Native API | Dridex has used the |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Dridex can maintain persistence via the creation of scheduled tasks within system directories such as `windows\system32\`, `windows\syswow64,` `winnt\system32`, and `winnt\syswow64`.CitationRed Canary Dridex Threat Report 2021 |
| Enterprise | T1185 | Browser Session Hijacking | Dridex can perform browser attacks via web injects to steal information such as credentials, certificates, and cookies.CitationDell Dridex Oct 2015 |
| Enterprise | T1518 | Software Discovery | Dridex has collected a list of installed software on the system.CitationCheckpoint Dridex Jan 2021 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Dridex has used POST requests and HTTPS for C2 communications.CitationKaspersky Dridex May 2017CitationCheckpoint Dridex Jan 2021 |
| Enterprise | T1218.010 | Regsvr32 Sub-technique | Dridex can use `regsvr32.exe` to initiate malicious code.CitationRed Canary Dridex Threat Report 2021 |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | Dridex has encrypted traffic with RSA.CitationKaspersky Dridex May 2017 |
| Enterprise | T1027 | Obfuscated Files or Information | Dridex's strings are obfuscated using RC4.CitationCheckpoint Dridex Jan 2021 |
| Enterprise | T1090 | Proxy | Dridex contains a backconnect module for tunneling network traffic through a victim's computer. Infected computers become part of a P2P botnet that can relay C2 traffic to other infected peers.CitationDell Dridex Oct 2015CitationCheckpoint Dridex Jan 2021 |
| Enterprise | T1082 | System Information Discovery | Dridex has collected the computer name and OS architecture information from the system.CitationCheckpoint Dridex Jan 2021 |
| Enterprise | T1090.003 | Multi-hop Proxy Sub-technique | Dridex can use multiple layers of proxy servers to hide terminal nodes in its infrastructure.CitationCheckpoint Dridex Jan 2021 |
| Enterprise | T1204.002 | Malicious File Sub-technique | Dridex has relied upon users clicking on a malicious attachment delivered through spearphishing.CitationCheckpoint Dridex Jan 2021 |
Groups, software, and campaigns
G0092: TA505
G0119: Indrik Spider
Indrik Spider is a Russia-based cybercriminal group that has been active since at least 2014. Indrik Spider initially started with the Dridex banking Trojan, and then by 2017 they began running ransomware operations using BitPaymer, WastedLocker, and Hades ransomware. Following U.S. sanctions and an indictment in 2019, Indrik Spider changed their tactics and diversified their toolset.[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.1 | Current bundle | 0eceead1d6aa… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Dell Dridex Oct 2015
Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, October 13). Dridex (Bugat v5) Botnet Takeover Operation. Retrieved May 31, 2019.
Open source URL -
[2]
Kaspersky Dridex May 2017
Slepogin, N. (2017, May 25). Dridex: A History of Evolution. Retrieved May 31, 2019.
Open source URL -
[3]
Treasury EvilCorp Dec 2019
U.S. Department of Treasury. (2019, December 5). Treasury Sanctions Evil Corp, the Russia-Based Cybercriminal Group Behind Dridex Malware. Retrieved September 15, 2021.
Open source URL -
[4]
Bugat v5
(Citation: Dell Dridex Oct 2015)
-
[5]
Checkpoint Dridex Jan 2021
Check Point Research. (2021, January 4). Stopping Serial Killer: Catching the Next Strike. Retrieved September 7, 2021.
Open source URL -
[6]
Dridex
(Citation: Dell Dridex Oct 2015)(Citation: Kaspersky Dridex May 2017)(Citation: Checkpoint Dridex Jan 2021)
-
[7]
mitre-attack S0384Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.