{ "id": "a2f12baf-3a4a-431a-a362-8bfe9a0cf946", "created_at": "2026-04-06T01:29:28.746651Z", "updated_at": "2026-04-10T13:12:25.969081Z", "deleted_at": null, "sha1_hash": "536129a828736b1fae40a9252258f271eef1a29b", "title": "Dridex - Red Canary Threat Detection Report", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 67863, "plain_text": "Dridex - Red Canary Threat Detection Report\r\nArchived: 2026-04-06 00:37:19 UTC\r\nAnalysis\r\nDetection\r\nEditor’s note: While the detection opportunities and analysis on this page are still relevant, it has not been\r\nupdated since 2021. \r\nDridex is a well known banking trojan that shares both code similarities and overlapping infrastructure with\r\nGameover Zeus. The operators of Dridex are referred to by various names, including TA505 and INDRIK\r\nSPIDER. When it first showed up on the scene in 2014, it delivered malicious Word documents containing VBA\r\nmacros. Over the years it has used other formats such as malicious JavaScript and Excel documents. Even though\r\nthe initial payload delivery format has changed, Dridex has consistently focused on getting into user mailboxes\r\nand ushering users into unwittingly executing malicious code on their endpoints. Malicious emails containing\r\nDridex attachments encourage clicking by giving the attached Excel documents enticing names like “Invoice,”\r\n“Inv,” “Outstanding,” “Payment,” or “Statement.”\r\nXLM macros\r\nWith the most recent shift in 2020, Dridex moved from delivering malicious JavaScript files to delivering\r\nmalicious Excel documents leveraging the underlying Excel 4.0 macro (XLM) functionality. XLM macros were\r\nmade available to Excel users in 1992. These macros utilize the Binary Interchange File Format (BIFF), an early\r\ncousin of the better-known Visual Basic for Applications (VBA) macros. Excel 4.0 macros offer similar\r\nfunctionality as VBA macros but give adversaries the distinct advantage of being able to hide in plain sight; macro\r\ncode can be spread throughout a spreadsheet over disparate cells, rendering analysis difficult and making it not\r\nimmediately obvious that executable code is even present.\r\nPreviously, XLM also allowed code execution without being subjected to the scrutiny of the Microsoft\r\nAntimalware Scan Interface (AMSI), which made it easier for Dridex and other malware to use XLM to evade\r\ndefenses. As of March 2021, Microsoft has added AMSI coverage for Excel 4.0 macros, enabling vendors to\r\nacquire insight into runtime execution. Ultimately, if your organization doesn’t have a business use for executing\r\nmacros in your environment, it’s better to disable them altogether.\r\nLater stages\r\nBeyond the initial delivery, one of the most common techniques we observed Dridex using throughout the year\r\nwas DLL search order hijacking of various legitimate Windows executables. The Dridex operators don’t stick to a\r\nsingle Windows executable when doing search order hijacking, necessitating multiple detection analytics to catch\r\nhttps://redcanary.com/threat-detection-report/threats/dridex/\r\nPage 1 of 3\n\nthis behavior. We also observed Dridex persisting as a scheduled task. In fact, Dridex’s place in our top 10 threats\r\nis due in no small part to scheduled tasks left over from incomplete remediation efforts. This pattern emphasizes\r\nthe importance of cleaning up persistence when responding to threats.\r\nWhile Dridex is a threat in and of itself, in 2020 we also observed multiple environments where Dridex led to the\r\nransomware family DoppelPaymer—and we’ve observed the same pattern in early 2021. Similar to other\r\n“ransomware precursor” families in our top 10 such as TrickBot, Emotet, and Qbot, the threat of follow-on\r\nransomware emphasizes the need for quick identification and remediation of Dridex in any environment. Given\r\nthe long history of Dridex consistently evolving to combat modern-day security controls while maintaining the\r\nsame means of payload delivery, the best way to protect your organization from Dridex is filtering emails at your\r\nmail gateways to prevent its delivery.\r\nDetection opportunity 1\r\nScheduled task creation containing system directory\r\nATT\u0026CK technique(s): T1053.005 Scheduled Task/Job: Scheduled Task\r\nATT\u0026CK tactic(s): Persistence\r\nDetails: Dridex maintains persistence via the creation of scheduled tasks ( schtasks.exe ) within system\r\ndirectories such as windows\\system32\\ , windows\\syswow64 , winnt\\system32 and winnt\\syswow64 .\r\nIdentifying the instances of schtasks.exe where the command line contains both the flag /create and a\r\nsystem path often helps us identify existing or residual instances of Dridex on an endpoint.\r\nDetection opportunity 2\r\nExcel spawning regsvr32.exe\r\nATT\u0026CK technique(s): T1218.010 Signed Binary Proxy Execution: Regsvr32\r\nATT\u0026CK tactic(s): Defense Evasion\r\nDetails: Dridex uses Excel macros as a springboard to initiate additional malicious code via Register Server\r\n( regsvr32.exe ). While files called by regsvr32 traditionally end in .dll (as in the first example below), we\r\noften observe this threat and others using different file extensions to avoid recognition as a DLL (as in the second\r\nexample below). Detecting this type of activity can be as easy as identifying any instances where excel.exe is\r\nspawning regsvr32.exe as a child process, as this activity is uncommon in most environments.\r\nhttps://redcanary.com/threat-detection-report/threats/dridex/\r\nPage 2 of 3\n\nDetection opportunity 3\r\nDLL search order hijacking\r\nATT\u0026CK technique(s): T1574.001 Hijack Execution Flow: DLL Search Order Hijacking\r\nATT\u0026CK tactic(s): Persistence, Privilege Escalation, Defense Evasion\r\nDetails: Another opportunity for detection is based around search order hijacking. This type of attack is successful\r\nwhen a Windows native binary executes from within a directory that contains one or more malicious DLL\r\nbinaries. These unassuming DLLs are loaded and executed by the trusted native binary due to their location. This\r\ntype of activity is most easily identified when a native system binary is executed from a non-standard location,\r\nsuch as AppData\\Local or AppData\\Roaming . This detection opportunity requires some work: start by\r\ncataloging all native Windows binaries, and then write detection analytics for any instances where these binaries\r\nare executed from anywhere other than their standard locations. Admittedly, this leads to a lot of detection\r\nanalytics due to the volume of native Windows binaries, but we’ve found that creating these analytics is worth the\r\neffort to catch Dridex as well as other threats that use DLL search order hijacking.\r\nSource: https://redcanary.com/threat-detection-report/threats/dridex/\r\nhttps://redcanary.com/threat-detection-report/threats/dridex/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://redcanary.com/threat-detection-report/threats/dridex/" ], "report_names": [ "dridex" ], "threat_actors": [ { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "d706edf6-cb86-4611-99e1-4b464e9dc5b9", "created_at": "2023-01-06T13:46:38.839083Z", "updated_at": "2026-04-10T02:00:03.117987Z", "deleted_at": null, "main_name": "INDRIK SPIDER", "aliases": [ "Manatee Tempest" ], "source_name": "MISPGALAXY:INDRIK SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775438968, "ts_updated_at": 1775826745, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/536129a828736b1fae40a9252258f271eef1a29b.pdf", "text": "https://archive.orkl.eu/536129a828736b1fae40a9252258f271eef1a29b.txt", "img": "https://archive.orkl.eu/536129a828736b1fae40a9252258f271eef1a29b.jpg" } }