Dridex, also known as Bugat and Cridex, is a type of

malware Malware (a portmanteau of ''malicious software'')Tahir, R. (2018)A study on malware and malware detection techniques . ''International Journal of Education and Management Engineering'', ''8''(2), 20. is any software intentionally designed to caus ...

that specializes in stealing bank credentials through a system that utilizes macros from

Microsoft Word Microsoft Word is a word processor program, word processing program developed by Microsoft. It was first released on October 25, 1983, under the name Multi-Tool Word for Xenix systems. Subsequent versions were later written for several other platf ...

. It primarily targets

Windows Windows is a Product lining, product line of Proprietary software, proprietary graphical user interface, graphical operating systems developed and marketed by Microsoft. It is grouped into families and subfamilies that cater to particular sec ...

users who open malicious

email Electronic mail (usually shortened to email; alternatively hyphenated e-mail) is a method of transmitting and receiving Digital media, digital messages using electronics, electronic devices over a computer network. It was conceived in the ...

attachments in Word or Excel, triggering macros that download Dridex and infect the system, exposing the user to banking theft. Dridex is designed to steal banking information from infected machines and immediately launch fraudulent transactions. It installs a keyboard logger and performs injection attacks to capture sensitive data.

History

Dridex first appeared in 2012 as an evolution of the earlier Cridex and Bugat banking trojans. It incorporated elements of its predecessors’ code but introduced a

peer-to-peer Peer-to-peer (P2P) computing or networking is a distributed application architecture that partitions tasks or workloads between peers. Peers are equally privileged, equipotent participants in the network, forming a peer-to-peer network of Node ...

(P2P) communication architecture to enhance concealment and redundancy. By 2015, it had become one of the most prevalent financial malware strains, particularly targeting banking credentials through email-based phishing campaigns and malicious macro-laden attachments. That year, theft attributed to Dridex was estimated at £20 million in the United Kingdom and $10 million in the United States, with attacks reported in more than 20 countries. In early September 2016, researchers observed the malware beginning to target

cryptocurrency A cryptocurrency (colloquially crypto) is a digital currency designed to work through a computer network that is not reliant on any central authority, such as a government or bank, to uphold or maintain it. Individual coin ownership record ...

wallets. In 2017, Dridex was distributed through a widespread phishing campaign that exploited a Microsoft Word

zero-day vulnerability A zero-day (also known as a 0-day) is a vulnerability or security hole in a computer system unknown to its developers or anyone capable of mitigating it. Until the vulnerability is remedied, threat actors can exploit it in a zero-day exploit, or z ...

. This method allowed infection without requiring users to enable macros and affected millions of users globally. Around the same time, newer versions of Dridex began exploiting a vulnerability in Microsoft Office and WordPad that allowed

remote code execution In computer security, arbitrary code execution (ACE) is an attacker's ability to run any commands or code of the attacker's choice on a target machine or in a target process. An arbitrary code execution vulnerability is a security flaw in softwar ...

. In December 2019, US authorities filed charges against two suspects believed to have created the Dridex malware, including the group's alleged leader. In 2022, IBM researchers found similarities between the Raspberry Robin worm and Dridex malware loaders. Their comparative analysis showed that both used similar string decoding algorithms, anti-analysis techniques, and payload decryption routines. IBM suggested that Evil Corp may be using Raspberry Robin infrastructure to carry out attacks.

Evil Corp

Evil Corp (also known as ''Dridex'' and ''INDRIK SPIDER''), the group behind the Dridex malware, is a Russian hacking group that has been active since 2009. Evil Corp operated with a hierarchical structure similar to traditional organized crime groups rather than typical cybercriminal networks. Its leader,

Maksim Yakubets Maksim Viktorovich Yakubets (Russian: Максим Викторович Якубец) is a Russian computer expert and alleged computer hacker. He is alleged to have been a member of the Evil Corp, Jabber Zeus Crew, as well as the alleged lead ...

, ran the operation out of Moscow with the involvement of family members, including his father, brother, and cousins. The group invested heavily in laundering operations and maintained a tight-knit internal culture, regularly socializing and vacationing together. In 2019, the

Federal Bureau of Investigation The Federal Bureau of Investigation (FBI) is the domestic Intelligence agency, intelligence and Security agency, security service of the United States and Federal law enforcement in the United States, its principal federal law enforcement ag ...

(FBI) named nine alleged members of the group, accusing them of

extorting Extortion is the practice of obtaining benefit (e.g., money or goods) through coercion. In most jurisdictions it is likely to constitute a criminal offence. Robbery is the simplest and most common form of extortion, although making unfounded t ...

stealing Theft (, cognate to ) is the act of taking another person's property or services without that person's permission or consent with the intent to deprive the rightful owner of it. The word ''theft'' is also used as a synonym or informal short ...

over $100,000,000 through hacks that affected 40 countries. That same year, the

United States Department of the Treasury The Department of the Treasury (USDT) is the Treasury, national treasury and finance department of the federal government of the United States. It is one of 15 current United States federal executive departments, U.S. government departments. ...

imposed sanctions on the group, and the

Office of Foreign Assets Control The Office of Foreign Assets Control (OFAC) is a financial intelligence and enforcement agency of the United States Department of the Treasury, United States Treasury Department. It administers and enforces economic and trade economic sanctions, ...

(OFAC) banned individuals in the U.S. from engaging in transactions with them. People outside the US may be subject to secondary sanctions for facilitating significant transactions with the group. The US government also charged two members and offered a $5 million reward for information leading to their arrest. As a result of the 2019 US and UK sanctions, Evil Corp was forced to alter its tactics. Facing increased scrutiny and legal risk, members abandoned online accounts, restricted their movements, and ceased using Dridex malware. The group adopted alternative access tools like SocGholish and began deploying a rotating set of ransomware strains, including WastedLocker and Hades, to conceal their identity and continue operations. In November 2021, the ''

BBC The British Broadcasting Corporation (BBC) is a British public service broadcaster headquartered at Broadcasting House in London, England. Originally established in 1922 as the British Broadcasting Company, it evolved into its current sta ...

'' reported that two alleged leaders of Evil Corp were living openly in Russia. The following month, analysts at Emsisoft suggested that a ransomware attack initially attributed to REvil may have been the work of Evil Corp. In June of 2022, cybersecurity firm

Mandiant Mandiant, Inc. is an American cybersecurity firm and a subsidiary of Google. Mandiant received attention in February 2013 when it released a report directly implicating China in cyber espionage. In December 2013, Mandiant was acquired by FireE ...

reported that Evil Corp had begun using off-the-shelf ransomware, such as

LockBit LockBit is a cybercriminal group proposing ransomware as a service (RaaS). Software developed by the group (also called ransomware) enables malicious actors who are willing to pay for using it to carry out attacks in two tactics where they not o ...

, to disguise its identity and evade sanctions. Mandiant also linked the group to threat actor UNC2165. Between 2022 and 2024, Evil Corp diversified its tactics and began affiliating with other ransomware groups, including LockBit. The group continued its use of SocGholish as its primary initial access tool. The UK’s

National Crime Agency The National Crime Agency (NCA) is a Law enforcement agency#natlea, national law enforcement agency in the United Kingdom. It is the UK's lead agency against organised crime; Human trafficking, human, Arms trafficking, weapon and Illegal drug t ...

(NCA) identified Aleksandr Ryzhenkov, a senior figure in Evil Corp, as a LockBit affiliate involved in ransomware attacks. In February 2024, LockBit was disrupted by an international law enforcement operation led by the NCA, known as Operation Cronos. Some Evil Corp members remain active in Russia; in December 2022, Igor Turashev and his company placed third in a hackathon organized by the

Wagner Group The Wagner Group (), officially known as PMC Wagner (, ), is a Russian state-funded private military company (PMC) controlled 2023 Wagner Group plane crash, until 2023 by Yevgeny Prigozhin, a former close ally of Russia's president Vladimir Pu ...

References

{{Hacking in the 2010s 2015 in computing Windows trojans Cyberattacks on banking industry Hacking in the 2020s 2009 establishments in Russia Russian entities subject to U.S. Department of the Treasury sanctions Extortionists Ransomware

History

Evil Corp

See also

References