Built to collect victims' banking credentials, Dridex is now one of the most dangerous pieces of financial malware in circulation, according a new Symantec whitepaper.

Since 2014, spam email campaigns facilitated Dridex's almost exclusive distribution method, the Mountain View, Calif.-based cybersecurity firm said in the whitepaper. "These email campaigns are notable for their massive scale, frequency, and professionalism," it read. "The attackers behind Dridex regularly send millions of spam emails in the course of one day."

The number of Dridex infections detected by Symantec rose during 2015. Between January and April, there were less than 2,000 infections per month. Infection numbers spiked considerably in the following months, hitting almost 16,000 in June before dropping and stabilizing at a rate of 3,000 to 5,000 per month in the final quarter. Symantec observed at least 145 Dridex spam campaigns during one sample 10-week period.

"Tidal waves of spam are fueling the growth of the Dridex Trojan, which has emerged as one of the most dangerous financial threats over the past year," Dick O'Brien, senior information developer for Symantec, wrote in a blog. "The sheer size of the spam campaigns spreading Dridex (detected by Symantec as W32.Cridex) can sometimes overwhelm organizations hit by them."

Symantec's analysis of recent Dridex spam campaigns discovered disciplined, professional attackers that send out millions of new emails daily. They operate during a standard work week, continually refining the malware, and put significant effort into disguising their spam campaigns as legitimate emails.

Almost three quarters (74%) of Dridex spam campaigns used real company names in the sender address and frequently in the email text. The vast majority of spam campaigns hit inboxes disguised as legitimate financial emails, such as emails delivering invoices, receipts and orders.

Dridex's main objective is to steal banking credentials. The malware configuration targets the customers of nearly 300 different organizations in more than 40 regions. It mainly focuses on customers of financial institutions in wealthy, English-speaking countries, but the attackers also prioritized other European nations, along with a range of Asia-Pacific regions.

The level of activity surrounding Dridex indicated that a large cybercrime group is behind the malware. The U.S. Department of Justice has said that the botnet is "run by criminals in Moldova and elsewhere."

In October 2015, an international law enforcement operation saw one man charged alongside a coordinated effort to sinkhole thousands of compromised computers, cutting them off from the botnet's control. It appeared this may have only been a partial success as Dridex continues to propagate, indicating that many key elements of the operation are still functioning. The group is likely to continue to pose a serious threat during 2016.

Symantec offered the following tips for businesses and consumers:

  • Always keep security software up to date to protect against any new variants of this malware.
  • Keep your operating system and other software updated. Software updates frequently include patches for newly discovered security vulnerabilities.
  • Exercise caution when conducting online financial institution sessions, in particular if the behavior or appearance of the financial institution's website changes.
  • Delete any suspicious-looking emails you receive, especially if they contain links or attachments.
  • Be extremely wary of any Microsoft Office email attachment that advises individuals to enable macros to view its content. Unless you are sure that it is a genuine email from a trusted source, do not enable macros and immediately delete the email.
NOT FOR REPRINT

© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Roy Urrico

Roy W. Urrico specializes in articles about financial technology and services for Credit Union Times, as well as ghostwriting, copywriting, and case studies. Also: writer/editor of a semi-annual newsletter for Association for Financial Technology since 1997 and history projects funded by the U.S Interior Department, National Park Service and Warren County (N.Y.).