{ "id": "55a5b769-efe4-4791-b027-723d90f520f4", "created_at": "2026-04-06T00:09:33.647839Z", "updated_at": "2026-04-10T03:36:37.07965Z", "deleted_at": null, "sha1_hash": "cd1d3a6d70817f42cdcea2b0d388ab9e5292b5e8", "title": "Dridex Malware | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 120866, "plain_text": "Dridex Malware | CISA\r\nPublished: 2020-06-30 · Archived: 2026-04-05 13:51:03 UTC\r\nSummary\r\nThis Alert is the result of recent collaboration between the Department of the Treasury Financial Sector Cyber\r\nInformation Group (CIG) and the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN)\r\nto identify and share information with the financial services sector. Treasury and the Cybersecurity and\r\nInfrastructure Security Agency (CISA) are providing this report to inform the sector about the Dridex malware\r\nand variants. The report provides an overview of the malware, related activity, and a list of previously unreported\r\nindicators of compromise derived from information reported to FinCEN by private sector financial institutions.\r\nBecause actors using Dridex malware and its derivatives continue to target the financial services sector, including\r\nfinancial institutions and customers, the techniques, tactics, and procedures contained in this report warrant\r\nrenewed attention. Treasury and CISA encourage network security specialists to incorporate these indicators into\r\nexisting Dridex-related network defense capabilities and planning. For information regarding the malicious cyber\r\nactors responsible for the development and distribution of the Dridex malware, see the Treasury press release,\r\nTreasury Sanctions Evil Corp, the Russia-Based Cybercriminal Group Behind Dridex Malware and the FBI press\r\nrelease, Russian National Charged with Decade-Long Series of Hacking and Bank Fraud Offenses Resulting in\r\nTens of Millions in Losses and Second Russian National Charged with Involvement in Deployment of “Bugat”\r\nMalware.\r\nThis Alert does not introduce a new regulatory interpretation, nor impose any new requirements on regulated\r\nentities. Except where noted, there is no indication that the actual owner of the email address was involved in the\r\nsuspicious or malicious activity. If activity related to these indicators of compromise is detected, please notify\r\nappropriate law enforcement and the CIG.\r\nFor a downloadable copy of IOCs, see:\r\nAA19-339A CSV\r\nAA19-339A STIX XML\r\nTechnical Details\r\nThe Dridex malware, and its various iterations, has the capability to impact confidentiality of customer data and\r\navailability of data and systems for business processes. According to industry reporting, the original version of\r\nDridex first appeared in 2012, and by 2015 had become one of the most prevalent financial Trojans. We expect\r\nactors using Dridex malware and its derivatives to continue targeting the financial services sector, including both\r\nfinancial institutions and customers.\r\nDridex-related Phishing Attributes\r\nhttps://www.us-cert.gov/ncas/alerts/aa19-339a\r\nPage 1 of 10\n\nActors typically distribute Dridex malware through phishing e-mail spam campaigns. Phishing messages employ a\r\ncombination of legitimate business names and domains, professional terminology, and language implying urgency\r\nto persuade victims to activate open attachments. Sender e-mail addresses can simulate individuals\r\n(name@domain.com), administrative (admin@domain.com, support@domain.com), or common “do not reply”\r\nlocal parts (noreply@domain.com). Subject and attachment titles can include typical terms such as “invoice”,\r\n“order”, “scan”, “receipt”, “debit note”, “itinerary”, and others.\r\nThe e-mail messages vary widely. The e-mail body may contain no text at all, except to include attachments with\r\nnames that are strings of numbers, apparently relying on the subject line and victim curiosity to coerce the opening\r\nof the malicious file. Where there is a message body, the body may specifically state that the contents of the e-mail\r\nunderwent virus scanning or simply directs the victim toward the link or attachment. In other cases, the body may\r\ninclude a long, substantive message, providing multiple points of contact and context for the malicious\r\nattachment. Attachment and hyperlink names vary from random sets of numbers or imitation automatic filenames\r\nfrom scanners to filenames purporting to reference financial records. Attachments may or may not have direct\r\nreferences using the same file name or strings of numbers in the bodies of the e-mails.\r\nExample Links and Filenames (Note: link information is representative. Italicized statements are automatically\r\ngenerated by the cloud storage provider. # represents a random number.):\r\nLink: HTTPS://WWW.GOOGLE[.]COM/URL?Q=HTTPS://WWW.(Cloud Services Provider)\r\n[.]COM/S/(Cloud Account Value) /RECENT%20WIRE%20PAYMENT %######.SCR?(Cloud Provided\r\nSequence)\r\nLink: HTTPS://WWW.GOOGLE[.]COM/URL?Q=HTTPS://WWW.(Cloud Services Provider) [.]COM/S/\r\nCloud Account Value/AUTOMATEDCLEARINGHOUSE%20 PAYMENT####.DOC? (Cloud Provided\r\nSequence)\r\nLink: Malicious File: ID201NLD0012192016.DOC\r\nAttachments or eventual downloads can take a variety of formats. In some instances, malware downloaders are\r\nconcealed in compressed files using the ZIP or RAR file formats.  Occasionally compressed files within\r\ncompressed files (double zipped) are used. The compressed files can include extensible markup language (.xml),\r\nMicrosoft Office (.doc, .xls), Visual Basic (.vbs), JavaScript (.jar), or portable document format (.pdf) files. Many\r\nof the files, rather than containing the actual malware, contain hidden or obfuscated macros. Upon activation, the\r\nmacros reach to a command and control server, FTP server, or cloud storage site to download the actual Dridex\r\nmalware. In other cases, macros launch scripts that extract executables imbedded in the document as opposed to\r\ndownloading the payload.\r\nBy default, software generally prevents execution of macros without user permission. Attached files, particularly\r\n.doc and .xls files, contain instructions on how a user should enable content and specifically macros, effectively\r\nusing social engineering to facilitate the download. Malicious files sometimes even include screenshots of the\r\nnecessary actions to enable macros.\r\nMalware Capabilities\r\nDridex malware operates from multiple modules that may be downloaded together or following the initial\r\ndownload of a “loader” module. Modules include provisions for capturing screenshots, acting as a virtual\r\nhttps://www.us-cert.gov/ncas/alerts/aa19-339a\r\nPage 2 of 10\n\nmachine, or incorporating the victim machine into a botnet. Through its history and development, Dridex has used\r\nseveral exploits and methods for execution, including modification of directory files, using system recovery to\r\nescalate privileges, and modification of firewall rules to facilitate peer-to-peer communication for extraction of\r\ndata. Recent versions of Dridex exploit vulnerability CVE-2017-0199, which allows remote execution of code.\r\nThis vulnerability is specific to Microsoft Office and WordPad. Microsoft released a patch in 2017.\r\nOnce downloaded and active, Dridex has a wide range of capabilities, from downloading additional software to\r\nestablishing a virtual network to deletion of files.  The primary threat to financial activity is the Dridex’s ability to\r\ninfiltrate browsers, detect access to online banking applications and websites, and inject malware or keylogging\r\nsoftware, via API hooking, to steal customer login information. Dridex modules package, encrypt, and transmit\r\ncaptured information, screenshots, etc., via peer-to-peer (P2P) networks in the XML format or in binary format, as\r\nseen in newer versions. After stealing the login data, the attackers have the potential to facilitate fraudulent\r\nautomated clearing house (ACH) and wire transfers, open fraudulent accounts, and potentially adapt victim\r\naccounts for other scams involving business e-mail compromise or money mule activity.\r\nThe Dridex malware has evolved through several versions since its inception, partially to adapt to updated\r\nbrowsers. Although the characteristics described reflect some of the most recent configurations, actors continue to\r\nidentify and exploit vulnerabilities in widely used software.\r\nDridex Malware and Variants\r\nWhile Dridex is among the most prevalent sources of infection, previous variants and similar malware continue to\r\nrepresent a threat. Dridex is itself an improved variant of the Cridex and Bugat Trojans that preceded it, and it\r\nshares some of their codes. Although the previous variants’ theft activities operate in mostly the same way, the P2P\r\ncommunication aspects of Dridex improve its concealment and redundancy.\r\nRansomware\r\nActors distributing Dridex likely employ ransomware with similar configurations. Code for BitPaymer, also\r\nknown as Friedex, includes numerous similarities to Dridex, despite its function as ransomware rather than data\r\nextraction. The two malwares use the same mechanics for several functions, and the authors compiled the codes at\r\nnearly the same time. The ransomware distributed through these malwares has targeted U.S. financial institutions\r\nand resulted in data and financial loss.\r\nLocky ransomware operates using the same delivery method for the downloader, with similar subject lines and\r\nattachments. Attackers also use the same botnets to deliver both Dridex and Locky ransomware, sometimes\r\nsimultaneously. Variants of Locky include Zepto and Osiris. Locky ransomware and its variants have a wide\r\nfootprint, with varying impact depending on victim IT policies and practices and network configurations.\r\nDridex-related Activity\r\nAlthough the highest infection rates took place in late 2015 and early 2016, concurrent with Locky ransomware\r\ndistribution, Dridex continues to impact numerous countries. The Dridex hackers appear to direct the majority of\r\nattacks at English-speaking countries. Cybersecurity industry reporting attributes Dridex, BitPaymer, and Locky\r\ncampaigns, as well as other massive malware spam (malspam) campaigns to actors known alternately as Evil Corp\r\nhttps://www.us-cert.gov/ncas/alerts/aa19-339a\r\nPage 3 of 10\n\nor TA505. (Note: some cybersecurity industry reporting simply refers to the actors as “Dridex” or the “Dridex\r\nhackers.”) Actors distribute the malware via massive spam campaigns, sending up to millions of messages per day,\r\nalthough volume of messages varies widely.\r\nIndicators of Compromise\r\nThe following indicators are associated with the activity described in this report:\r\nIndicator Type Indicator Value Associated Activity\r\nEmail address info[@]antonioscognamiglio[.]it Dridex\r\nEmail address info[@]golfprogroup[.]com Dridex\r\nEmail address cariola72[@]teletu[.]it Dridex\r\nEmail address faturamento[@]sudestecaminhoes[.]com.br Dridex\r\nEmail address info[@]melvale[.]co.uk Dridex\r\nEmail address fabianurquiza[@]correo.dalvear[.]com.ar Dridex\r\nEmail address web1587p16[@]mail.flw-buero[.]at Dridex\r\nEmail address bounce[@]bestvaluestore[.]org Dridex\r\nEmail address farid[@]abc-telecom[.]az Dridex\r\nEmail address bounce[@]bestvaluestore[.]org Dridex\r\nEmail address admin[@]sevpazarlama[.]com Dridex\r\nEmail address faturamento[@]sudestecaminhoes[.]com.br Dridex\r\nEmail address pranab[@]pdrassocs[.]com Dridex\r\nEmail address tom[@]blackburnpowerltd[.]co.uk Dridex\r\nEmail address yportocarrero[@]elevenca[.]com Dridex\r\nEmail address s.palani[@]itifsl.co[.]in Dridex\r\nEmail address faber[@]imaba[.]nl Dridex\r\nEmail address admin[@]belpay[.]by Dridex\r\nIP address 62[.]149[.]158[.]252 Dridex\r\nIP address 177[.]34[.]32[.]109 Dridex\r\nIP address 2[.]138[.]111[.]86 Dridex\r\nhttps://www.us-cert.gov/ncas/alerts/aa19-339a\r\nPage 4 of 10\n\nIndicator Type Indicator Value Associated Activity\r\nIP address 122[.]172[.]96[.]18 Dridex\r\nIP address 69[.]93[.]243[.]5 Dridex\r\nIP address 200[.]43[.]183[.]102 Dridex\r\nIP address 79[.]124[.]76[.]30 Dridex\r\nIP address 188[.]125[.]166[.]114 Dridex\r\nIP address 37[.]59[.]52[.]64 Dridex\r\nIP address 50[.]28[.]35[.]36 Dridex\r\nIP address 154[.]70[.]39[.]158 Dridex\r\nIP address 108[.]29[.]37[.]11 Dridex\r\nIP address 65[.]112[.]218[.]2 Dridex\r\nMitigations\r\nTreasury and CISA encourage users and organizations to:\r\n1. Contact law enforcement immediately report regarding any identified activity related to Dridex malware or\r\nits derivatives. Please see contact information for FBI and CISA at the end of this report.\r\n2. Incorporate the indicators of compromise identified in this report into intrusion detection systems and\r\nsecurity alert systems to enable active blocking or reporting of suspected malicious activity. Note that the\r\nabove list is not a comprehensive list of all indicators associated with this activity.\r\n3. Report suspicious activity, highlighting the presence of “Cyber Event Indicators.” Indicators of\r\nCompromise, such as suspicious e-mail addresses, file names, hashes, domains, and IP addresses, can be\r\nprovided under Item 44 of the Suspicious Activity Report (SAR) form. FinCEN welcomes voluntary SAR\r\nfiling in circumstances where reporting is not required.\r\nRecommendations for All Organizations\r\nThe following mitigation recommendations respond directly to Dridex TTPs:\r\nEnsuring systems are set by default to prevent execution of macros.\r\nInform and educate employees on the appearance of phishing messages, especially those used by the\r\nhackers for distribution of malware in the past.\r\nUpdate intrusion detection and prevention systems frequently to ensure the latest variants of malware and\r\ndownloaders are included.\r\nConduct regular backup of data, ensuring backups are protected from potential ransomware attack.\r\nExercise employees’ response to phishing messages and unauthorized intrusion.\r\nhttps://www.us-cert.gov/ncas/alerts/aa19-339a\r\nPage 5 of 10\n\nIf there is any doubt about message validity, call and confirm the message with the sender using a number\r\nor e-mail address already on file.\r\nTreasury and CISA remind users and administrators to use the following best practices to strengthen the\r\nsecurity posture of their organization’s systems:\r\nMaintain up-to-date antivirus signatures and engines.\r\nKeep operating system patches up-to-date.\r\nDisable file and printer sharing services. If these services are required, use strong passwords or Active\r\nDirectory authentication.\r\nRestrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to\r\nthe local administrators group unless required.\r\nEnforce a strong password policy and require regular password changes.\r\nExercise caution when opening email attachments even if the attachment is expected and the sender\r\nappears to be known.\r\nEnable a personal firewall on workstations, and configure it to deny unsolicited connection requests.\r\nDisable unnecessary services on agency workstations and servers.\r\nScan for and remove suspicious email attachments; ensure the scanned attachment is its “true file type”\r\n(i.e., the extension matches the file header).\r\nMonitor users' web browsing habits; restrict access to sites with unfavorable content.\r\nExercise caution when using removable media (e.g., USB thumb drives, external drives, CDs).\r\nScan all software downloaded from the Internet before executing.\r\nMaintain situational awareness of the latest threats.\r\nImplement appropriate access control lists.\r\nExercise cybersecurity procedures and continuity of operations plans to enhance and maintain ability to\r\nrespond during and following a cyber incident.\r\nThe National Institute of Standards and Technology (NIST) has published additional information on malware\r\nincident prevention and handling in their Special Publication 800-83, Guide to Malware Incident Prevention and\r\nHandling for Desktops and Laptops.\r\nWhy Best Practices Matter\r\nThe National Security Agency (NSA) recently published its Top Ten Cybersecurity Mitigation Strategies (this is\r\nthe current website for Top 10 mitigation strategies). Aligned with the NIST Cybersecurity Framework, the\r\nStrategies offer a risk-based approach to mitigating exploitation techniques used by Advance Persistent Threat\r\n(APT) actors.\r\nThe Strategies counter a broad range of exploitation techniques used by malicious cyber actors. NSA’s mitigations\r\nset priorities for enterprise organizations to minimize mission impact. The mitigations also build upon the NIST\r\nCybersecurity Framework functions to manage cybersecurity risk and promote a defense-in-depth security\r\nposture. The mitigation strategies are ranked by effectiveness against known APT tactics. Additional strategies and\r\nbest practices will be required to mitigate the occurrence of new tactics.\r\n1. Update and Upgrade Software Immediately. Apply all available software updates, automate the process\r\nto the extent possible, and use an update service provided directly from the vendor. Automation is\r\nhttps://www.us-cert.gov/ncas/alerts/aa19-339a\r\nPage 6 of 10\n\nnecessary because threat actors study patches and create exploits, often soon after a patch is released.\r\nThese “N-day” exploits can be as damaging as a zero-day. Vendor updates must also be authentic; updates\r\nare typically signed and delivered over protected links to assure the integrity of the content. Without rapid\r\nand thorough patch application, threat actors can operate inside a defender’s patch cycle.\r\n2. Defend Privileges and Accounts. Assign privileges based on risk exposure and as required to maintain\r\noperations. Use a Privileged Access Management (PAM) solution to automate credential management and\r\nfine-grained access control. Another way to manage privilege is through tiered administrative access in\r\nwhich each higher tier provides additional access, but is limited to fewer personnel. Create procedures to\r\nsecurely reset credentials (e.g., passwords, tokens, tickets). Privileged accounts and services must be\r\ncontrolled because threat actors continue to target administrator credentials to access high-value assets, and\r\nto move laterally through the network.\r\n3. Enforce Signed Software Execution Policies. Use a modern operating system that enforces signed\r\nsoftware execution policies for scripts, executables, device drivers, and system firmware. Maintain a list of\r\ntrusted certificates to prevent and detect the use and injection of illegitimate executables. Execution\r\npolicies, when used in conjunction with a secure boot capability, can assure system integrity. Application\r\nAllow listing should be used with signed software execution policies to provide greater control. Allowing\r\nunsigned software enables threat actors to gain a foothold and establish persistence through embedded\r\nmalicious code.\r\n4. Exercise a System Recovery Plan. Create, review, and exercise a system recovery plan to ensure the\r\nrestoration of data as part of a comprehensive disaster recovery strategy. The plan must protect critical data,\r\nconfigurations, and logs to ensure continuity of operations due to unexpected events. For additional\r\nprotection, backups should be encrypted, stored offsite, offline when possible, and support complete\r\nrecovery and reconstitution of systems and devices. Perform periodic testing and evaluate the backup plan.\r\nUpdate the plan as necessary to accommodate the ever-changing network environment. A recovery plan is\r\na necessary mitigation for natural disasters as well as malicious threats including ransomware.\r\n5. Actively Manage Systems and Configurations. Take inventory of network devices and software. Remove\r\nunwanted, unneeded, or unexpected hardware and software from the network. Starting from a known\r\nbaseline reduces the attack surface and establishes control of the operational environment. Thereafter,\r\nactively manage devices, applications, operating systems, and security configurations. Active enterprise\r\nmanagement ensures that systems can adapt to dynamic threat environments while scaling and streamlining\r\nadministrative operations.\r\n6. Continuously Hunt for Network Intrusions. Take proactive steps to detect, contain, and remove any\r\nmalicious presence within the network. Enterprise organizations should assume that a compromise has\r\ntaken place and use dedicated teams to continuously seek out, contain, and remove threat actors within the\r\nnetwork. Passive detection mechanisms, such as logs, Security Information and Event Management\r\n(SIEM) products, Endpoint Detection and Response (EDR) solutions, and other data analytic capabilities\r\nare invaluable tools to find malicious or anomalous behaviors. Active pursuits should also include hunt\r\noperations and penetration testing using well documented incident response procedures to address any\r\ndiscovered breaches in security. Establishing proactive steps will transition the organization beyond basic\r\ndetection methods, enabling real-time threat detection and remediation using a continuous monitoring and\r\nmitigation strategy.\r\nhttps://www.us-cert.gov/ncas/alerts/aa19-339a\r\nPage 7 of 10\n\n7. Leverage Modern Hardware Security Features. Use hardware security features like Unified Extensible\r\nFirmware Interface (UEFI) Secure Boot, Trusted Platform Module (TPM), and hardware virtualization.\r\nSchedule older devices for a hardware refresh. Modern hardware features increase the integrity of the boot\r\nprocess, provide system attestation, and support features for high-risk application containment. Using a\r\nmodern operating system on outdated hardware results in a reduced ability to protect the system, critical\r\ndata, and user credentials from threat actors.\r\n8. Segregate Networks Using Application-Aware Defenses. Segregate critical networks and services. Deploy\r\napplication-aware network defenses to block improperly formed traffic and restrict content, according to\r\npolicy and legal authorizations. Traditional intrusion detection based on known-bad signatures is quickly\r\ndecreasing in effectiveness due to encryption and obfuscation techniques. Threat actors hide malicious\r\nactions and remove data over common protocols, making the need for sophisticated, application-aware\r\ndefensive mechanisms critical for modern network defenses.\r\n9. Integrate Threat Reputation Services. Leverage multi-sourced threat reputation services for files, DNS,\r\nURLs, IPs, and email addresses. Reputation services assist in the detection and prevention of malicious\r\nevents and allow for rapid global responses to threats, a reduction of exposure from known threats, and\r\nprovide access to a much larger threat analysis and tipping capability than an organization can provide on\r\nits own. Emerging threats, whether targeted or global campaigns, occur faster than most organizations can\r\nhandle, resulting in poor coverage of new threats. Multi-source reputation and information sharing services\r\ncan provide a more timely and effective security posture against dynamic threat actors.\r\n10. Transition to Multi-Factor Authentication. Prioritize protection for accounts with elevated privileges,\r\nremote access, and/or used on high value assets. Physical token-based authentication systems should be\r\nused to supplement knowledge-based factors such as passwords and PINs. Organizations should migrate\r\naway from single factor authentication, such as password-based systems, which are subject to poor user\r\nchoices and susceptible to credential theft, forgery, and reuse across multiple systems.\r\nContact Information\r\nReporting Suspected Malicious Activity\r\nTo report an intrusion and request resources for incident response or technical assistance, contact CISA\r\n(central@mail.cisa.dhs.gov or 1-844-Say-CISA), FBI through a local field office, or FBI’s Cyber Division\r\n(CyWatch@fbi.gov or 855-292-3937).\r\nInstitutions should determine whether filing of a Suspicious Activity Report (“SAR”) is required under Bank\r\nSecrecy Act regulations.  In instances where filing is not required, institutions may file a SAR voluntarily to aid\r\nFinCEN and law enforcement efforts in protecting the financial sector.  Financial institutions are encouraged to\r\nprovide relevant cyber-related information and indicators in their SAR reporting.  For questions regarding cyber\r\nSAR filing, please contact the FinCEN Resource Center (FRC@fincen.gov or 1-800-767-2825).\r\nOpen-Source Reporting on Dridex\r\nThe following represents an alphabetized selection of open-source reporting by U.S. government and industry\r\nsources on Dridex malware and its derivatives:\r\nhttps://www.us-cert.gov/ncas/alerts/aa19-339a\r\nPage 8 of 10\n\n“Dridex P2P Malware,” US-CERT Alert (TA15-286A), https://www.cisa.gov/news-events/alerts/2015/10/13/dridex-p2p-malware, 13 October 2015.\r\n“Dridex Threat Profile,” New Jersey Cybersecurity \u0026 Communications Integration Cell,\r\nhttps://www.cyber.nj.gov/threat-landscape/malware/trojans/dridex, accessed 15 April 2019.\r\nAlert Logic, “Dridex malware has evolved to Locky Ransomware,” No date,\r\nhttps://www.alertlogic.com/resources/industry-reports/ransomware-in-focus/ , accessed 11 March 2019.\r\nAvast Blog, “A closer look at the Locky ransomware,” 10 March 2016, https://blog.avast.com/a-closer-look-at-the-locky-ransomware , accessed 6 February 2019.\r\nBrett Stone-Gross, Ph.D., “Dridex (Bugat v5) Botnet Takeover Operation,” Secureworks, 13 October 2015,\r\nhttps://www.secureworks.com/research/dridex-bugat-v5-botnet-takeover-operation , accessed 6 February\r\n2019.\r\nBrewster, Thomas, “Cops Knock Down Dridex Malware that Earned ‘Evil Corp’ Cybercriminals At Least\r\n$50 Million,” Forbes, 13 October 2015, https://www.forbes.com/sites/thomasbrewster/2015/10/13/dridex-botnet-takedown/#2b883f00415b .\r\nChandler, Andy, “FBI announces Dridex gang indictment and praises Fox-IT,” Fox-IT, 13 October 2015,\r\nhttps://www.fox-it.com/en/about-fox-it/corporate/news/fbi-announces-dridex-gang-indictments-praises-fox/, accessed 7 February 2019.\r\nDHS CISA, “Alert (TA15-286A), Dridex P2P Malware,” https://www.cisa.gov/news-events/alerts/2015/10/13/dridex-p2p-malware, accessed 4 June 2019.\r\nEduard Kovacs, “Dridex still active after takedown attempt,” Security Week, 19 October 2015,\r\nhttps://www.securityweek.com/dridex-still-active-after-takedown-attempt , accessed 11 March 2019.\r\nGeoff White, “How the Dridex Gang makes millions from bespoke ransomware,” Forbes, 26 September\r\n2018, https://www.forbes.com/sites/geoffwhite/2018/09/26/how-the-dridex-gang-makes-millions-from-bespoke-ransomware/ , accessed 11 March 2019.\r\nMS-ISAC, “Cybercrime Technical Desk Reference,” 31 August 2018, https://www.cisecurity.org/wp-content/uploads/2018/09/MS-ISAC-Cyber-Crime-Technical-Desk-Reference.pdf , accessed 6 February\r\n2019.\r\nO’Brien, Dick. “Dridex: Tidal waves of spam pushing dangerous financial Trojan,” Symantec, February\r\n2016, https://docs.broadcom.com/doc/dridex-financial-trojan , accessed 4 February 2019.\r\nPoslušný, Michal, “FriedEx: BitPaymer ransomware the work of Dridex authors,” welivesecurity by ESET,\r\n26 January 2018, https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/ , accessed 6 February 2019.\r\nProofpoint, “Dridex Campaigns Hitting Millions of Recipients Using Unpatched Microsoft Zero-Day,”\r\nhttps://www.proofpoint.com/us/threat-insight/post/dridex-campaigns-millions-recipients-unpatched-microsoft-zero-day , accessed 5 February 2019.\r\nProofpoint, “High-Volume Dridex Banking Trojan Campaigns Return.”\r\nhttps://www.proofpoint.com/us/threat-insight/post/high-volume-dridex-campaigns-return , accessed 1\r\nFebruary 2019.\r\nProofpoint, “Threat Actor Profile: TA505, From Dridex to GlobeImposter,”\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter ,\r\naccessed 6 February 2019.\r\nhttps://www.us-cert.gov/ncas/alerts/aa19-339a\r\nPage 9 of 10\n\nRoland Dela Paz and Ran Mosessco. “New year, new look – Dridex via compromised FTP,” ForcePoint, 18\r\nJanuary 2018, https://blogs.forcepoint.com/blog/security-labs/new-year-new-look-dridex-compromised-ftp,\r\naccessed 4 February 2019.\r\nSanghavi, Mithun. “DRIDEX and how to overcome it.” Symantec Official Blog, 30 March 2015,\r\nhttps://community.broadcom.com/symantecenterprise/viewdocument/dridex-and-how-to-overcome-it?\r\nCommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments , accessed 4 February\r\n2019.\r\nSecurity Intelligence Blog, “URSNIF, EMOTET, DRIDEX and BitPaymer Gangs Linked by a Similar\r\nLoader,” Trend Micro, 18 December 2018, https://www.trendmicro.com/en_us/research/18/l/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader.html , accessed 6 February 2019.\r\nTalos Group, “Threat Spotlight: Spam Served With a Side of Dridex,” Cisco Blogs, 6 April 2015,\r\nhttps://blogs.cisco.com/security/talos/spam-dridex , accessed 4 February 2019.\r\nRevisions\r\nDecember 5, 2019: Initial version\r\nDecember 5, 2019: Added links to Treasury and FBI press releases\r\nJanuary 2, 2020: Updated CISA contact information\r\nSource: https://www.us-cert.gov/ncas/alerts/aa19-339a\r\nhttps://www.us-cert.gov/ncas/alerts/aa19-339a\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.us-cert.gov/ncas/alerts/aa19-339a" ], "report_names": [ "aa19-339a" ], "threat_actors": [ { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "6c4f98b3-fe14-42d6-beaa-866395455e52", "created_at": "2023-01-06T13:46:39.169554Z", "updated_at": "2026-04-10T02:00:03.23458Z", "deleted_at": null, "main_name": "Evil Corp", "aliases": [ "GOLD DRAKE" ], "source_name": "MISPGALAXY:Evil Corp", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434173, "ts_updated_at": 1775792197, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cd1d3a6d70817f42cdcea2b0d388ab9e5292b5e8.pdf", "text": "https://archive.orkl.eu/cd1d3a6d70817f42cdcea2b0d388ab9e5292b5e8.txt", "img": "https://archive.orkl.eu/cd1d3a6d70817f42cdcea2b0d388ab9e5292b5e8.jpg" } }