Dridex is a banking Trojan that has been used for financial gain. Dridex was created from the source code of the Bugat banking trojan (also known as Cridex).[1][2]

ID: S0384
Associated Software: Bugat v5
Platforms: Windows
Version: 1.1
Created: 30 May 2019
Last Modified: 30 March 2020

Associated Software Descriptions

Name Description
Bugat v5


Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Dridex has used HTTPS for C2 communications.[2]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Dridex has encrypted traffic with RC4.[2]

.002 Encrypted Channel: Asymmetric Cryptography

Dridex has encrypted traffic with RSA.[2]

Enterprise T1185 Man in the Browser

Dridex can perform browser attacks via web injects to steal information such as credentials, certificates, and cookies.[1]

Enterprise T1090 Proxy

Dridex contains a backconnect module for tunneling network traffic through a victim's computer. Infected computers become part of a P2P botnet that can relay C2 traffic to other infected peers.[1]

Enterprise T1219 Remote Access Software

Dridex contains a module for VNC.[1]

Groups That Use This Software

ID Name References
G0092 TA505


G0119 Indrik Spider