Reverse Engineering Dridex

 

Community Feature - @cPeterr

Curated Intelligence member Chuong Duong has recently shared his findings in a blog after reverse engineering one of the most infamous malware families: the Dridex Trojan. The blog focuses on the anti-analysis technique leveraged by the Dridex developers (known as EvilCorp or IndrikSpider) to obfuscate Windows API calls using string hashing and Vectored Exception Handling.

https://www.0ffset.net/reverse-engineering/malware-analysis/dridex-veh-api-obfuscation/

Dridex persists as one of the most prolific malware families, often distributed in macro-enabled Microsoft Office documents via the Cutwail spam botnet. The malware began life as a banking Trojan but has since evolved into an initial access broker for two ransomware gangs: DoppelSpider (the operators of Grief and DoppelPaymer) who use a variant called DoppelDridex and IndrikSpider (the operators of BitPaymer, and various WastedLocker variants) who use Dridex, alongside other malware such as the SocGholish JS framework.


Curated Intel Community Features are sourced using our Member Content channel on Discord. If you have recently produced a noteworthy piece of writing, a project, a podcast, an infographic or other CTI content let us know!