Dridex

Active since 2009, the Avalanche botnet has been used for money muling schemes, distributing a wide variety of malware, and as a fast-flux communication infrastructure for other botnets.

These access facilitators distribute their backdoors via malicious links and attachments sent via email.

admin@338 has attempted to get victims to launch malicious Microsoft Word attachments delivered via spearphishing emails... APT28 attempted to get users to click on Microsoft Office attachments containing malicious macro scripts... Dragonfly has used various forms of spearphishing in attempts to get users to open malicious attachments.

This group distributes malware via malicious URLs, Office attachments, and password-protected files.

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

Many of the files, rather than containing the actual malware, contain hidden or obfuscated macros. Upon activation, the macros reach to a command and control server, FTP server, or cloud storage site to download the actual Dridex malware.

U.S. Government reporting has identified the top 10 most exploited vulnerabilities... malicious cyber actors most often exploited vulnerabilities in Microsoft’s Object Linking and Embedding (OLE) technology... the three vulnerabilities used most frequently across state-sponsored cyber actors from China, Iran, North Korea, and Russia are CVE-2017-11882, CVE-2017-0199, and CVE-2012-0158. | U.S. Government reporting has identified the top 10 most exploited vulnerabilities by state, nonstate, and unattributed cyber actors from 2016 to 2019 as follows: CVE-2017-11882, CVE-2017-0199, CVE-2017-5638, CVE-2012-0158, CVE-2019-0604, CVE-2017-0143, CVE-2018-4878, CVE-2017-8759, CVE-2015-1641, and CVE-2018-7600. | Malicious cyber actors most often exploited vulnerabilities in Microsoft’s Object Linking and Embedding (OLE) technology. OLE allows documents to contain embedded content from other applications such as spreadsheets. | U.S. Government reporting has identified the top 10 most exploited vulnerabilities by state, nonstate, and unattributed cyber actors from 2016 to 2019 as follows: CVE-2017-11882, CVE-2017-0199, CVE-2012-0158, CVE-2018-4878, CVE-2017-8759, and CVE-2015-1641. According to U.S. Government technical analysis, malicious cyber actors most often exploited vulnerabilities in Microsoft’s Object Linking and Embedding (OLE) technology. | U.S. Government reporting has identified the top 10 most exploited vulnerabilities by state, nonstate, and unattributed cyber actors from 2016 to 2019 as follows: CVE-2017-11882, CVE-2017-0199, CVE-2017-5638, CVE-2012-0158, CVE-2019-0604, CVE-2017-0143, CVE-2018-4878, CVE-2017-8759, CVE-2015-1641, and CVE-2018-7600. According to U.S. Government technical analysis, malicious cyber actors most often exploited vulnerabilities in Microsoft’s Object Linking and Embedding (OLE) technology.

The content repeatedly describes victims being lured into opening malicious attachments, enabling macros, launching installers, clicking embedded files/links, or otherwise directly executing malicious content.

Where there is a message body, the body may specifically state that the contents of the e-mail underwent virus scanning or simply directs the victim toward the link or attachment.

Sandworm Team leveraged Microsoft Office attachments which contained malicious macros that were automatically executed once the user permitted them... APT29 has used various forms of spearphishing attempting to get a user to open attachments... DarkGate is distributed through phishing links to VBS or MSI objects requiring user interaction for execution.

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

Through its history and development, Dridex has used several exploits and methods for execution, including modification of directory files, using system recovery to escalate privileges...

The content repeatedly describes malware and threat actors using obfuscated code, encrypted strings, Base64/XOR/RC4/AES encoding, VMProtect/ConfuserEx/SmartAssembly, stack strings, control-flow flattening, opaque predicates, and hidden payloads to evade analysis and detection.

The primary threat to financial activity is the Dridex’s ability to infiltrate browsers, detect access to online banking applications and websites, and inject malware or keylogging software, via API hooking, to steal customer login information.

The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."

The primary threat to financial activity is the Dridex’s ability to infiltrate browsers, detect access to online banking applications and websites, and inject malware or keylogging software, via API hooking, to steal customer login information.

Modules include provisions for capturing screenshots... Dridex modules package, encrypt, and transmit captured information, screenshots, etc., via peer-to-peer (P2P) networks

The primary threat to financial activity is the Dridex’s ability to infiltrate browsers, detect access to online banking applications and websites, and inject malware or keylogging software, via API hooking, to steal customer login information.

Recorded Future tracks the creation and modification of new malicious infrastructure for a multitude of post-exploitation toolkits, custom malware, and open-source remote access trojans (RATs). We observed over 17,000 unique command-and-control (C2) servers during 2022...

The content repeatedly describes threat actors and malware using HTTP and HTTPS for command and control, such as: "Sandworm Team used BlackEnergy to communicate between compromised hosts and their command-and-control servers via HTTP post requests."

During the 2025 Poland Wiper Attacks, the adversaries utilized Tor nodes for C2. APT28 has routed traffic over Tor and VPN servers to obfuscate their activities. A backdoor used by APT29 created a Tor hidden service to forward traffic from the Tor client to local ports 3389 (RDP), 139 (Netbios), and 445 (SMB) enabling full remote access from outside the network.

The P2P communication aspects of Dridex improve its concealment and redundancy... Dridex modules package, encrypt, and transmit captured information... via peer-to-peer (P2P) networks

Loader feature: It can load a 2nd stage attack as EXE or DLL

The content repeatedly describes malware and threat actors using SSL, TLS, HTTPS, RSA, AES, Blowfish, RC4, ECIES, Diffie-Hellman, OpenSSL, WolfSSL, and mutual TLS to protect command and control traffic.

Dridex modules package, encrypt, and transmit captured information, screenshots, etc., via peer-to-peer (P2P) networks in the XML format or in binary format, as seen in newer versions.

Once downloaded and active, Dridex has a wide range of capabilities, from downloading additional software to establishing a virtual network to deletion of files.

Insurance company CNA Financial reportedly paid its attackers $40 million following a ransomware attack disclosed in March.