HP Threat Research Blog Dridex Malicious Document Analysis: Automating the Extraction of Payload URLs

January 19, 2021 Category: Threat Research By: Patrick Schläpfer Comments: 0

Dridex Malicious Document Analysis: Automating the Extraction of Payload URLs

Introduction

The last three months of 2020 saw a sustained increase in malicious spam distributing Dridex malware. The number of Dridex samples isolated by HP Sure Click more than tripled in Q4 compared to Q3, representing a 239% increase. According to HP Sure Click telemetry, Dridex is currently the second most widely circulating crimeware family behind Emotet. Although originating in 2012 as a banking Trojan, since 2017 Dridex’s operators have increasingly shifted their tactics to delivering ransomware.

Dridex’s distributors commonly propagate the malware using malicious Office documents (maldocs) that download