New Dridex malware strain evades traditional antivirus software

New Dridex malware strain evades traditional antivirus software

Malware authors behind the Dridex banking Trojan have been busy with constantly updating their software with new capabilities and attack vectors. In the past month security researchers have spotted two new strains of malware - one of them is capable of bypassing mitigation of application whitelisting techniques by disabling or blocking Windows Script Host, while the second variant uses new obfuscation method that allows it to slip by anti-virus detection.

Dridex is a well-known Trojan which specializes in the theft of online banking credentials. Dridex first appeared as Cridex in 2011 and since then has undergone a series of transformations, including a transition to XML scripts, hashing algorithms, peer-to-peer encryption, and peer-to-command-and-control encryption.

Recently, researchers at eSentire detected fishing emails that distributed a new Dridex strain that uses file signatures that are harder to detect allowing the malware to evade detection when on infected systems.

“At the time of discovery, using data from VirusTotal, only six antivirus solutions of about 60 detected suspicious behavior,” said the researchers adding that by June 27, the number of active detections has increased to 16 out of 60.

The malware is being delivered to victims via fishing document with embedded macros. Once it downloaded on the system Dridex starts searching for banking information. One of the most notable changes in the new variant is the use of technique aimed at avoiding detection by installed on the system anti-virus solutions.

Anti-virus software mainly rely on file signatures (MD5 or SHA256 hashes) to detect malicious files. Dridex leverages newly created and signed 64-bit dynamic link libraries (DLLs), which have different file signatures from previous versions that have been detected by anti-virus software in the past.

“These DLLs are side loaded via legitimate MS Windows binaries, making them appear to be part of a legitimate software product, and thus more difficult to detect,” explained the researchers.

Indicators of Compromise (IOCs) can be found in the company blog here.

Back to the list

Latest Posts

ConnectWise rotates digital certificates due to security risks

ConnectWise rotates digital certificates due to security risks

The company said that this is a preventive action and not related to any recent security incident.
11 June 2025
Major police crackdown takes down 20K malicious IPs and domains linked to info-stealers

Major police crackdown takes down 20K malicious IPs and domains linked to info-stealers

Dubbed ‘Operation Secure’, the effort ran from January to April 2025 and targeted cybercriminal infrastructure worldwide.
11 June 2025
DanaBot malware dismantled after major flaw exposed operation

DanaBot malware dismantled after major flaw exposed operation

The vulnerability, dubbed ‘DanaBleed,’ stemmed from a memory leak in the malware's updated command-and-control protocol.
11 June 2025
Popular Posts
Featured vulnerabilities
Multiple vulnerabilities in Qlik Sense Enterprise for Windows
High Patched | 11 Jun, 2025
Authentication bypass in Qlik Alerting server
High Patched | 11 Jun, 2025
Stored cross-site scripting in BNS Featured Category plugin for WordPress
Low Not Patched | 11 Jun, 2025
Incorrect default permissions in Siemens Energy Services using Elspec G5DFR
High Not Patched | 11 Jun, 2025
Cleartext storage of sensitive information in Simple History plugin for WordPress
Low Patched | 11 Jun, 2025