The sub-techniques beta is now live! Read the release blog post for more info.


Dridex is a banking Trojan that has been used for financial gain. Dridex was created from the source code of the Bugat banking trojan (also known as Cridex).[1][2]

ID: S0384
Associated Software: Bugat v5
Platforms: Windows
Version: 1.0
Created: 30 May 2019
Last Modified: 31 May 2019

Associated Software Descriptions

Name Description
Bugat v5 [1]

Techniques Used

Domain ID Name Use
Enterprise T1090 Connection Proxy

Dridex contains a backconnect module for tunneling network traffic through a victim's computer. Infected computers become part of a P2P botnet that can relay C2 traffic to other infected peers.[1]

Enterprise T1185 Man in the Browser

Dridex can perform browser attacks via web injects to steal information such as credentials, certificates, and cookies.[1]

Enterprise T1219 Remote Access Tools

Dridex contains a module for VNC.[1]

Enterprise T1071 Standard Application Layer Protocol

Dridex has used HTTPS for C2 communications.[2]

Enterprise T1032 Standard Cryptographic Protocol

Dridex has encrypted traffic with RSA and RC4.[2]

Groups That Use This Software

ID Name References
G0092 TA505 [3] [4]