Dridex

First seen in 2011, Dridex has had a longer evolutionary journey than most malwares and has urvived through the years by obfuscating its main command-and-control (C&C) servers through proxies. Dridex’s first appearances in September 2011 came under the name Cidex. It caused destruction to banks until June 2014 when Dridex version 1.1 appeared in the wild. Dridex emerged almost exactly one month after Operation Tovar’s takedown of the Gameover ZeuS botnet, which also marked the end of Cidex attacks.Dridex and Gameover ZeuS have many similarities in their code, and attribution for Dridex47 is tied to a Russian-speaking gang that may be a spinoff from the “Business Club,” an organized cybercrime gang that developed the Gameover ZeuS botnet. A number of arrests were made in September 2015, but that did little to stop Dridex. In February 2016, F5 labs published reports on the Dridex Botnet 220 campaign noting the evolution of the malware, and then in April 2016 noted that Dridex shifted focus from UK banks to US banks. In December 2018, researchers found connections between Dridex, Emotet, and Ursnif/Gozi malware.48 It continues to evolve technically and remains an active threat.