Dridex's operators have realized that they could use this database to detect users who have security-related and reverse engineering software installed on their PCs. The type of information it collects includes data such as the computer's name, OS type, OS version, OS installation date, and system information like the list of installed software.Īcross time, this has allowed the Dridex gang to build a database of users. The initial infection trojan, called the Dridex loader, collects information about each host and then sends it to the Dridex servers. You see, Dridex doesn't flat-out infect its victims. While this has made reverse engineering and Dridex detection a real problem, the most interesting change is the fact that Dridex now comes with the ability to blacklist "suspicious" hosts. Some of the most significant and extensive changes are to Dridex's configuration file, which is now transmitted from the C&C master server to its victims in an encrypted binary format, instead of a cleartext XML file. Dridex will ban computers it thinks belong to security researchers
The criminal group behind it, a true cyber-crime syndicate, has people working around the clock updating Dridex's source code with new features and new methods meant to help the trojan avoid getting flagged by security software.Ī recent Forcepoint report highlights some of the low-level code changes that have allowed Dridex to avoid malware researchers and security software in the past few months, but it also includes some clues about the trojan's future. Future versions of the infamous and highly dangerous Dridex banking trojan will soon be able to steal credentials for several crypto-currency wallets, according to clues found in recent Dridex samples.ĭridex, also known as Bugat and Cridex, is the moniker of a banking trojan and the name of its botnet (infected devices) used to commit other types of illegal activities, such as sending spam.