SYMBOLCOMMON_NAMEaka. SYNONYMS

Evil Corp  (Back to overview)

aka: GOLD DRAKE

Evil Corp is an internaltional cybercrime network. In December of 2019 the US Federal Government offered a $5M bounty for information leading to the arrest and conviction of Maksim V. Yakubets for allegedly orchestrating Evil Corp operations. Responsible for stealing over $100M from businesses and consumers. The Evil Corp organization is known for utilizing custom strains of malware such as JabberZeus, Bugat and Dridex to steal banking credentials.


Associated Families
win.dridex

References
2021-09-15Palo Alto Networks Unit 42Anna Chung, Swetha Balla
@online{chung:20210915:phishing:15f054e, author = {Anna Chung and Swetha Balla}, title = {{Phishing Eager Travelers}}, date = {2021-09-15}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/travel-themed-phishing/}, language = {English}, urldate = {2021-09-19} } Phishing Eager Travelers
Dridex
2021-09-03Trend MicroMohamad Mokbel
@techreport{mokbel:20210903:state:df86499, author = {Mohamad Mokbel}, title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}}, date = {2021-09-03}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf}, language = {English}, urldate = {2021-09-19} } The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2021-08-19BlackberryBlackBerry Research & Intelligence Team
@online{team:20210819:blackberry:2eec433, author = {BlackBerry Research & Intelligence Team}, title = {{BlackBerry Prevents: Threat Actor Group TA575 and Dridex Malware}}, date = {2021-08-19}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2021/08/blackberry-prevents-threat-actor-group-ta575-and-dridex-malware}, language = {English}, urldate = {2021-08-23} } BlackBerry Prevents: Threat Actor Group TA575 and Dridex Malware
Cobalt Strike Dridex
2021-07-30HPPatrick Schläpfer
@online{schlpfer:20210730:detecting:2291323, author = {Patrick Schläpfer}, title = {{Detecting TA551 domains}}, date = {2021-07-30}, organization = {HP}, url = {https://threatresearch.ext.hp.com/detecting-ta551-domains/}, language = {English}, urldate = {2021-08-02} } Detecting TA551 domains
Valak Dridex IcedID ISFB QakBot
2021-07-02MalwareBookReportsmuzi
@online{muzi:20210702:skip:09c3cd8, author = {muzi}, title = {{Skip the Middleman: Dridex Document to Cobalt Strike}}, date = {2021-07-02}, organization = {MalwareBookReports}, url = {https://malwarebookreports.com/cryptone-cobalt-strike/}, language = {English}, urldate = {2021-07-06} } Skip the Middleman: Dridex Document to Cobalt Strike
Cobalt Strike Dridex
2021-06-22Twitter (@Cryptolaemus1)Cryptolaemus, Kirk Sayre, dao ming si
@online{cryptolaemus:20210622:ta575:895ac37, author = {Cryptolaemus and Kirk Sayre and dao ming si}, title = {{Tweet on TA575, a Dridex affiliate delivering cobaltstrike (packed withe Cryptone) directly via the macro docs}}, date = {2021-06-22}, organization = {Twitter (@Cryptolaemus1)}, url = {https://twitter.com/Cryptolaemus1/status/1407135648528711680}, language = {English}, urldate = {2021-06-22} } Tweet on TA575, a Dridex affiliate delivering cobaltstrike (packed withe Cryptone) directly via the macro docs
Cobalt Strike Dridex
2021-06-08Intel 471Intel 471
@online{471:20210608:blurry:5b278e5, author = {Intel 471}, title = {{The blurry boundaries between nation-state actors and the cybercrime underground}}, date = {2021-06-08}, organization = {Intel 471}, url = {https://www.intel471.com/blog/cybercrime-russia-china-iran-nation-state}, language = {English}, urldate = {2021-06-16} } The blurry boundaries between nation-state actors and the cybercrime underground
Dridex Gameover P2P
2021-06-03YouTube (FIRST)Felipe Domingues, Gustavo Palazolo
@online{domingues:20210603:breaking:69967e5, author = {Felipe Domingues and Gustavo Palazolo}, title = {{Breaking Dridex Malware}}, date = {2021-06-03}, organization = {YouTube (FIRST)}, url = {https://www.youtube.com/watch?v=1VB15_HgUkg}, language = {English}, urldate = {2021-06-16} } Breaking Dridex Malware
Dridex
2021-05-26DeepInstinctRon Ben Yizhak
@online{yizhak:20210526:deep:c123a19, author = {Ron Ben Yizhak}, title = {{A Deep Dive into Packing Software CryptOne}}, date = {2021-05-26}, organization = {DeepInstinct}, url = {https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/}, language = {English}, urldate = {2021-06-22} } A Deep Dive into Packing Software CryptOne
Cobalt Strike Dridex Emotet Gozi ISFB Mailto QakBot SmokeLoader WastedLocker Zloader
2021-04-21SophosLabs UncutSean Gallagher, Suriya Natarajan, Anand Aijan, Michael Wood, Sivagnanam Gn, Markel Picado, Andrew Brandt
@online{gallagher:20210421:nearly:53964a7, author = {Sean Gallagher and Suriya Natarajan and Anand Aijan and Michael Wood and Sivagnanam Gn and Markel Picado and Andrew Brandt}, title = {{Nearly half of malware now use TLS to conceal communications}}, date = {2021-04-21}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications/}, language = {English}, urldate = {2021-04-28} } Nearly half of malware now use TLS to conceal communications
Agent Tesla Cobalt Strike Dridex SystemBC
2021-04-15Twitter (@felixw3000)Felix
@online{felix:20210415:dridexs:a39e123, author = {Felix}, title = {{Tweet on Dridex's evasion technique}}, date = {2021-04-15}, organization = {Twitter (@felixw3000)}, url = {https://twitter.com/felixw3000/status/1382614469713530883?s=20}, language = {English}, urldate = {2021-05-25} } Tweet on Dridex's evasion technique
Dridex
2021-04-15ProofpointSelena Larson
@online{larson:20210415:threat:cdfef32, author = {Selena Larson}, title = {{Threat Actors Pair Tax-Themed Lures With COVID-19, Healthcare Themes}}, date = {2021-04-15}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/security-briefs/threat-actors-pair-tax-themed-lures-covid-19-healthcare-themes}, language = {English}, urldate = {2021-08-23} } Threat Actors Pair Tax-Themed Lures With COVID-19, Healthcare Themes
Dridex TrickBot
2021-04-12PTSecurityPTSecurity
@online{ptsecurity:20210412:paas:1d06836, author = {PTSecurity}, title = {{PaaS, or how hackers evade antivirus software}}, date = {2021-04-12}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/}, language = {English}, urldate = {2021-04-12} } PaaS, or how hackers evade antivirus software
Amadey Bunitu Cerber Dridex ISFB KPOT Stealer Mailto Nemty Phobos Pony Predator The Thief QakBot Raccoon RTM SmokeLoader Zloader
2021-04-06LexfoLexfo
@online{lexfo:20210406:dridex:a3b6f4f, author = {Lexfo}, title = {{Dridex Loader Analysis}}, date = {2021-04-06}, organization = {Lexfo}, url = {https://blog.lexfo.fr/dridex-malware.html}, language = {English}, urldate = {2021-04-09} } Dridex Loader Analysis
Dridex
2021-03-31Red CanaryRed Canary
@techreport{canary:20210331:2021:cd81f2d, author = {Red Canary}, title = {{2021 Threat Detection Report}}, date = {2021-03-31}, institution = {Red Canary}, url = {https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf}, language = {English}, urldate = {2021-04-06} } 2021 Threat Detection Report
Shlayer Andromeda Cobalt Strike Dridex Emotet IcedID MimiKatz QakBot TrickBot
2021-03-29VMWare Carbon BlackJason Zhang, Oleg Boyarchuk, Giovanni Vigna
@online{zhang:20210329:dridex:7692f65, author = {Jason Zhang and Oleg Boyarchuk and Giovanni Vigna}, title = {{Dridex Reloaded: Analysis of a New Dridex Campaign}}, date = {2021-03-29}, organization = {VMWare Carbon Black}, url = {https://blogs.vmware.com/networkvirtualization/2021/03/analysis-of-a-new-dridex-campaign.html/}, language = {English}, urldate = {2021-04-09} } Dridex Reloaded: Analysis of a New Dridex Campaign
Dridex
2021-03-18PRODAFT Threat IntelligencePRODAFT
@techreport{prodaft:20210318:silverfish:f203208, author = {PRODAFT}, title = {{SilverFish GroupThreat Actor Report}}, date = {2021-03-18}, institution = {PRODAFT Threat Intelligence}, url = {https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf}, language = {English}, urldate = {2021-04-06} } SilverFish GroupThreat Actor Report
Cobalt Strike Dridex Koadic
2021-03-17HPHP Bromium
@techreport{bromium:20210317:threat:3aed551, author = {HP Bromium}, title = {{Threat Insights Report Q4-2020}}, date = {2021-03-17}, institution = {HP}, url = {https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf}, language = {English}, urldate = {2021-03-19} } Threat Insights Report Q4-2020
Agent Tesla BitRAT ComodoSec Dridex Emotet Ficker Stealer Formbook Zloader
2021-03-11IBMDave McMillen, Limor Kessem
@online{mcmillen:20210311:dridex:1140b01, author = {Dave McMillen and Limor Kessem}, title = {{Dridex Campaign Propelled by Cutwail Botnet and Poisonous PowerShell Scripts}}, date = {2021-03-11}, organization = {IBM}, url = {https://securityintelligence.com/dridex-campaign-propelled-by-cutwail-botnet-and-powershell/}, language = {English}, urldate = {2021-03-12} } Dridex Campaign Propelled by Cutwail Botnet and Poisonous PowerShell Scripts
Cutwail Dridex
2021-03Group-IBOleg Skulkin, Roman Rezvukhin, Semyon Rogachev
@techreport{skulkin:202103:ransomware:992ca10, author = {Oleg Skulkin and Roman Rezvukhin and Semyon Rogachev}, title = {{Ransomware Uncovered 2020/2021}}, date = {2021-03}, institution = {Group-IB}, url = {https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf}, language = {English}, urldate = {2021-06-16} } Ransomware Uncovered 2020/2021
RansomEXX BazarBackdoor Buer Clop Conti DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot RansomEXX REvil Ryuk SDBbot TrickBot Zloader
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-02-15Medium s2wlabSojun Ryu
@online{ryu:20210215:operation:b0712b0, author = {Sojun Ryu}, title = {{Operation SyncTrek}}, date = {2021-02-15}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/operation-synctrek-e5013df8d167}, language = {English}, urldate = {2021-09-02} } Operation SyncTrek
AbaddonPOS Azorult Clop DoppelDridex DoppelPaymer Dridex PwndLocker
2021-02-07Technical Blog of Ali AqeelAli Aqeel
@online{aqeel:20210207:dridex:871b7d0, author = {Ali Aqeel}, title = {{Dridex Malware Analysis}}, date = {2021-02-07}, organization = {Technical Blog of Ali Aqeel}, url = {https://aaqeel01.wordpress.com/2021/02/07/dridex-malware-analysis/}, language = {English}, urldate = {2021-02-09} } Dridex Malware Analysis
Dridex
2021-02-02Twitter (@TheDFIRReport)The DFIR Report
@online{report:20210202:recent:5272ed0, author = {The DFIR Report}, title = {{Tweet on recent dridex post infection activity}}, date = {2021-02-02}, organization = {Twitter (@TheDFIRReport)}, url = {https://twitter.com/TheDFIRReport/status/1356729371931860992}, language = {English}, urldate = {2021-02-04} } Tweet on recent dridex post infection activity
Cobalt Strike Dridex
2021-02-02CRONUPGermán Fernández
@online{fernndez:20210202:de:6ff4f3a, author = {Germán Fernández}, title = {{De ataque con Malware a incidente de Ransomware}}, date = {2021-02-02}, organization = {CRONUP}, url = {https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware}, language = {Spanish}, urldate = {2021-03-02} } De ataque con Malware a incidente de Ransomware
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader
2021-02-01MicrosoftMicrosoft 365 Defender Threat Intelligence Team
@online{team:20210201:what:2e12897, author = {Microsoft 365 Defender Threat Intelligence Team}, title = {{What tracking an attacker email infrastructure tells us about persistent cybercriminal operations}}, date = {2021-02-01}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/}, language = {English}, urldate = {2021-02-02} } What tracking an attacker email infrastructure tells us about persistent cybercriminal operations
Dridex Emotet Makop Ransomware SmokeLoader TrickBot
2021-01-19HPPatrick Schläpfer
@online{schlpfer:20210119:dridex:a8b3da4, author = {Patrick Schläpfer}, title = {{Dridex Malicious Document Analysis: Automating the Extraction of Payload URLs}}, date = {2021-01-19}, organization = {HP}, url = {https://threatresearch.ext.hp.com/dridex-malicious-document-analysis-automating-the-extraction-of-payload-urls/}, language = {English}, urldate = {2021-01-21} } Dridex Malicious Document Analysis: Automating the Extraction of Payload URLs
Dridex
2021-01-09Marco Ramilli's BlogMarco Ramilli
@online{ramilli:20210109:command:d720b27, author = {Marco Ramilli}, title = {{Command and Control Traffic Patterns}}, date = {2021-01-09}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/}, language = {English}, urldate = {2021-05-17} } Command and Control Traffic Patterns
ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot
2021-01-04Check PointCheck Point Research
@online{research:20210104:dridex:2741eba, author = {Check Point Research}, title = {{DRIDEX Stopping Serial Killer: Catching the Next Strike}}, date = {2021-01-04}, organization = {Check Point}, url = {https://research.checkpoint.com/2021/stopping-serial-killer-catching-the-next-strike/}, language = {English}, urldate = {2021-01-05} } DRIDEX Stopping Serial Killer: Catching the Next Strike
Dridex
2021SecureworksSecureWorks
@online{secureworks:2021:threat:98f1049, author = {SecureWorks}, title = {{Threat Profile: GOLD HERON}}, date = {2021}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-heron}, language = {English}, urldate = {2021-05-31} } Threat Profile: GOLD HERON
DoppelPaymer Dridex Empire Downloader DOPPEL SPIDER
2021SecureWorks
@online{secureworks:2021:threat:dbd7ed7, author = {SecureWorks}, title = {{Threat Profile: GOLD DRAKE}}, date = {2021}, url = {http://www.secureworks.com/research/threat-profiles/gold-drake}, language = {English}, urldate = {2021-05-28} } Threat Profile: GOLD DRAKE
Cobalt Strike Dridex FriedEx Koadic MimiKatz WastedLocker Evil Corp
2020-12-10US-CERTUS-CERT, FBI, MS-ISAC
@online{uscert:20201210:alert:a5ec77e, author = {US-CERT and FBI and MS-ISAC}, title = {{Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data}}, date = {2020-12-10}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/alerts/aa20-345a}, language = {English}, urldate = {2020-12-11} } Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data
PerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim REvil Ryuk Zeus
2020-11-20ZDNetCatalin Cimpanu
@online{cimpanu:20201120:malware:0b8ff59, author = {Catalin Cimpanu}, title = {{The malware that usually installs ransomware and you need to remove right away}}, date = {2020-11-20}, organization = {ZDNet}, url = {https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/}, language = {English}, urldate = {2020-11-23} } The malware that usually installs ransomware and you need to remove right away
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader
2020-11-18SophosSophos
@techreport{sophos:20201118:sophos:8fd201e, author = {Sophos}, title = {{SOPHOS 2021 THREAT REPORT Navigating cybersecurity in an uncertain world}}, date = {2020-11-18}, institution = {Sophos}, url = {https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf}, language = {English}, urldate = {2020-11-19} } SOPHOS 2021 THREAT REPORT Navigating cybersecurity in an uncertain world
Agent Tesla Dridex TrickBot Zloader
2020-10-29CERT-FRCERT-FR
@techreport{certfr:20201029:le:d296223, author = {CERT-FR}, title = {{LE MALWARE-AS-A-SERVICE EMOTET}}, date = {2020-10-29}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-010.pdf}, language = {English}, urldate = {2020-11-04} } LE MALWARE-AS-A-SERVICE EMOTET
Dridex Emotet ISFB QakBot
2020-10-15Department of JusticeDepartment of Justice
@online{justice:20201015:officials:b340951, author = {Department of Justice}, title = {{Officials Announce International Operation Targeting Transnational Criminal Organization QQAAZZ that Provided Money Laundering Services to High-Level Cybercriminals}}, date = {2020-10-15}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/officials-announce-international-operation-targeting-transnational-criminal-organization}, language = {English}, urldate = {2020-10-23} } Officials Announce International Operation Targeting Transnational Criminal Organization QQAAZZ that Provided Money Laundering Services to High-Level Cybercriminals
Dridex ISFB TrickBot
2020-10-03WikipediaWikpedia
@online{wikpedia:20201003:wikipedia:70dbf1e, author = {Wikpedia}, title = {{Wikipedia Page: Maksim Yakubets}}, date = {2020-10-03}, organization = {Wikipedia}, url = {https://en.wikipedia.org/wiki/Maksim_Yakubets}, language = {English}, urldate = {2020-11-02} } Wikipedia Page: Maksim Yakubets
Dridex Feodo Evil Corp
2020-09-29PWC UKAndy Auld
@online{auld:20200929:whats:2782a62, author = {Andy Auld}, title = {{What's behind the increase in ransomware attacks this year?}}, date = {2020-09-29}, organization = {PWC UK}, url = {https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html}, language = {English}, urldate = {2021-05-25} } What's behind the increase in ransomware attacks this year?
DarkSide Avaddon Clop Conti DoppelPaymer Dridex Emotet FriedEx Mailto PwndLocker QakBot REvil Ryuk SMAUG SunCrypt TrickBot WastedLocker
2020-09-18AppGateGustavo Palazolo, Felipe Duarte
@online{palazolo:20200918:reverse:689e4cb, author = {Gustavo Palazolo and Felipe Duarte}, title = {{Reverse Engineering Dridex and Automating IOC Extraction}}, date = {2020-09-18}, organization = {AppGate}, url = {https://www.appgate.com/blog/reverse-engineering-dridex-and-automating-ioc-extraction}, language = {English}, urldate = {2020-09-25} } Reverse Engineering Dridex and Automating IOC Extraction
Dridex
2020-09-10SANS ISC InfoSec ForumsBrad Duncan
@online{duncan:20200910:recent:f9e103f, author = {Brad Duncan}, title = {{Recent Dridex activity}}, date = {2020-09-10}, organization = {SANS ISC InfoSec Forums}, url = {https://isc.sans.edu/forums/diary/Recent+Dridex+activity/26550/}, language = {English}, urldate = {2020-09-15} } Recent Dridex activity
Dridex
2020-09-07Github (pan-unit42)Brad Duncan
@online{duncan:20200907:collection:09ab7be, author = {Brad Duncan}, title = {{Collection of recent Dridex IOCs}}, date = {2020-09-07}, organization = {Github (pan-unit42)}, url = {https://github.com/pan-unit42/tweets/blob/master/2020-09-07-Dridex-IOCs.txt}, language = {English}, urldate = {2020-09-15} } Collection of recent Dridex IOCs
Cutwail Dridex
2020-08-21Palo Alto Networks Unit 42Brad Duncan
@online{duncan:20200821:wireshark:d98d5ed, author = {Brad Duncan}, title = {{Wireshark Tutorial: Decrypting HTTPS Traffic}}, date = {2020-08-21}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/wireshark-tutorial-decrypting-https-traffic/}, language = {English}, urldate = {2020-08-25} } Wireshark Tutorial: Decrypting HTTPS Traffic
Dridex
2020-08-20CERT-FRCERT-FR
@techreport{certfr:20200820:development:d518522, author = {CERT-FR}, title = {{Development of the Activity of the TA505 Cybercriminal Group}}, date = {2020-08-20}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf}, language = {English}, urldate = {2020-08-28} } Development of the Activity of the TA505 Cybercriminal Group
AndroMut Bart Clop Dridex FlawedAmmyy FlawedGrace Get2 Locky Marap QuantLoader SDBbot ServHelper tRat TrickBot
2020-08-09F5 LabsRemi Cohen, Debbie Walkowski
@online{cohen:20200809:banking:8718999, author = {Remi Cohen and Debbie Walkowski}, title = {{Banking Trojans: A Reference Guide to the Malware Family Tree}}, date = {2020-08-09}, organization = {F5 Labs}, url = {https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree}, language = {English}, urldate = {2021-06-29} } Banking Trojans: A Reference Guide to the Malware Family Tree
BackSwap Carberp Citadel DanaBot Dridex Dyre Emotet Gozi Kronos PandaBanker Ramnit Shylock SpyEye Tinba TrickBot Vawtrak Zeus
2020-08-03The DFIR Report
@online{report:20200803:dridex:165cf39, author = {The DFIR Report}, title = {{Dridex – From Word to Domain Dominance}}, date = {2020-08-03}, url = {https://thedfirreport.com/2020/08/03/dridex-from-word-to-domain-dominance/}, language = {English}, urldate = {2020-08-05} } Dridex – From Word to Domain Dominance
Dridex
2020-07-17CERT-FRCERT-FR
@techreport{certfr:20200717:malware:5c58cdf, author = {CERT-FR}, title = {{The Malware Dridex: Origins and Uses}}, date = {2020-07-17}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf}, language = {English}, urldate = {2020-07-20} } The Malware Dridex: Origins and Uses
Andromeda CryptoLocker Cutwail DoppelPaymer Dridex Emotet FriedEx Gameover P2P Gandcrab ISFB Murofet Necurs Predator The Thief Zeus
2020-06-26BBCBBC News
@online{news:20200626:russian:a1216ac, author = {BBC News}, title = {{Russian hacker group Evil Corp targets US workers at home}}, date = {2020-06-26}, organization = {BBC}, url = {https://www.bbc.com/news/world-us-canada-53195749}, language = {English}, urldate = {2020-11-02} } Russian hacker group Evil Corp targets US workers at home
WastedLocker Evil Corp
2020-06-24MorphisecArnold Osipov
@online{osipov:20200624:obfuscated:74bfeed, author = {Arnold Osipov}, title = {{Obfuscated VBScript Drops Zloader, Ursnif, Qakbot, Dridex}}, date = {2020-06-24}, organization = {Morphisec}, url = {https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex}, language = {English}, urldate = {2020-06-25} } Obfuscated VBScript Drops Zloader, Ursnif, Qakbot, Dridex
Dridex ISFB QakBot Zloader
2020-06-22CERT-FRCERT-FR
@techreport{certfr:20200622:volution:fba1cfa, author = {CERT-FR}, title = {{Évolution De Lactivité du Groupe Cybercriminel TA505}}, date = {2020-06-22}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf}, language = {French}, urldate = {2020-06-24} } Évolution De Lactivité du Groupe Cybercriminel TA505
Amadey AndroMut Bart Clop Dridex FlawedGrace Gandcrab Get2 GlobeImposter Jaff Locky Marap Philadephia Ransom QuantLoader Scarab Ransomware SDBbot ServHelper Silence tRat TrickBot
2020-06-19ReaqtaReaqta
@online{reaqta:20200619:dridex:54f4dd5, author = {Reaqta}, title = {{Dridex: the secret in a PostMessage()}}, date = {2020-06-19}, organization = {Reaqta}, url = {https://reaqta.com/2020/06/dridex-the-secret-in-a-postmessage/}, language = {English}, urldate = {2020-06-22} } Dridex: the secret in a PostMessage()
Dridex
2020-06-05VotiroVotiro’s Research Team
@online{team:20200605:anatomy:3047f6e, author = {Votiro’s Research Team}, title = {{Anatomy of a Well-Crafted UPS, FedEx, and DHL Phishing Email During COVID-19}}, date = {2020-06-05}, organization = {Votiro}, url = {https://votiro.com/blog/anatomy-of-a-well-crafted-ups-fedex-and-dhl-phishing-email-during-covid-19/}, language = {English}, urldate = {2020-06-10} } Anatomy of a Well-Crafted UPS, FedEx, and DHL Phishing Email During COVID-19
Dridex
2020-05-31Medium walmartglobaltechJason Reaves, Joshua Platt
@online{reaves:20200531:wastedloader:c37b988, author = {Jason Reaves and Joshua Platt}, title = {{WastedLoader or DridexLoader?}}, date = {2020-05-31}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/wastedloader-or-dridexloader-4f47c9b3ae77}, language = {English}, urldate = {2021-06-09} } WastedLoader or DridexLoader?
Dridex WastedLocker
2020-05-27GAIS-CERTGAIS-CERT
@techreport{gaiscert:20200527:dridex:90bd3bd, author = {GAIS-CERT}, title = {{Dridex Banking Trojan Technical Analysis Report}}, date = {2020-05-27}, institution = {GAIS-CERT}, url = {https://gaissecurity.com/uploads/csirt/EN-Dridex-banking-trojan.pdf}, language = {English}, urldate = {2020-06-24} } Dridex Banking Trojan Technical Analysis Report
Dridex
2020-05-25CERT-FRCERT-FR
@techreport{certfr:20200525:le:ac94f72, author = {CERT-FR}, title = {{Le Code Malveillant Dridex: Origines et Usages}}, date = {2020-05-25}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-005.pdf}, language = {French}, urldate = {2020-05-26} } Le Code Malveillant Dridex: Origines et Usages
Dridex
2020-05-25CERT-FRCERT-FR
@online{certfr:20200525:indicateurs:642332f, author = {CERT-FR}, title = {{INDICATEURS DE COMPROMISSION DU CERT-FR - Objet: Le code malveillant Dridex}}, date = {2020-05-25}, organization = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/ioc/CERTFR-2020-IOC-003/}, language = {French}, urldate = {2020-06-03} } INDICATEURS DE COMPROMISSION DU CERT-FR - Objet: Le code malveillant Dridex
Dridex
2020-05-21Intel 471Intel 471
@online{471:20200521:brief:048d164, author = {Intel 471}, title = {{A brief history of TA505}}, date = {2020-05-21}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/}, language = {English}, urldate = {2020-05-23} } A brief history of TA505
AndroMut Bart Dridex FlawedAmmyy FlawedGrace Gandcrab Get2 GlobeImposter Jaff Kegotip Locky Necurs Philadephia Ransom Pony QuantLoader Rockloader SDBbot ServHelper Shifu Snatch TrickBot
2020-03-30IntezerMichael Kajiloti
@online{kajiloti:20200330:fantastic:c01db60, author = {Michael Kajiloti}, title = {{Fantastic payloads and where we find them}}, date = {2020-03-30}, organization = {Intezer}, url = {https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them}, language = {English}, urldate = {2020-04-07} } Fantastic payloads and where we find them
Dridex Emotet ISFB TrickBot
2020-03-05MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200305:humanoperated:d90a28e, author = {Microsoft Threat Protection Intelligence Team}, title = {{Human-operated ransomware attacks: A preventable disaster}}, date = {2020-03-05}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/}, language = {English}, urldate = {2020-03-06} } Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER Pirate Panda SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2020-02-18Sophos LabsLuca Nagy
@online{nagy:20200218:nearly:8ff363f, author = {Luca Nagy}, title = {{Nearly a quarter of malware now communicates using TLS}}, date = {2020-02-18}, organization = {Sophos Labs}, url = {https://news.sophos.com/en-us/2020/02/18/nearly-a-quarter-of-malware-now-communicates-using-tls/}, language = {English}, urldate = {2020-02-27} } Nearly a quarter of malware now communicates using TLS
Dridex IcedID TrickBot
2020-01-31Virus BulletinMichal Poslušný, Peter Kálnai
@online{poslun:20200131:rich:c25f156, author = {Michal Poslušný and Peter Kálnai}, title = {{Rich Headers: leveraging this mysterious artifact of the PE format}}, date = {2020-01-31}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/}, language = {English}, urldate = {2020-02-03} } Rich Headers: leveraging this mysterious artifact of the PE format
Dridex Exaramel Industroyer Neutrino RCS Sathurbot
2020SecureworksSecureWorks
@online{secureworks:2020:gold:0d8c853, author = {SecureWorks}, title = {{GOLD DRAKE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-drake}, language = {English}, urldate = {2020-05-23} } GOLD DRAKE
Dridex Empire Downloader FriedEx Koadic MimiKatz
2020SecureworksSecureWorks
@online{secureworks:2020:gold:b12ae49, author = {SecureWorks}, title = {{GOLD HERON}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-heron}, language = {English}, urldate = {2020-05-23} } GOLD HERON
DoppelPaymer Dridex Empire Downloader
2019-12-19KrebsOnSecurityBrian Krebs
@online{krebs:20191219:inside:c7595ad, author = {Brian Krebs}, title = {{Inside ‘Evil Corp,’ a $100M Cybercrime Menace}}, date = {2019-12-19}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/}, language = {English}, urldate = {2020-11-02} } Inside ‘Evil Corp,’ a $100M Cybercrime Menace
Dridex Gameover P2P Zeus Evil Corp
2019-12-05U.S. Department of the TreasuryU.S. Department of the Treasury
@online{treasury:20191205:treasury:81d8c3e, author = {U.S. Department of the Treasury}, title = {{Treasury Sanctions Evil Corp, the Russia-Based Cybercriminal Group Behind Dridex Malware}}, date = {2019-12-05}, organization = {U.S. Department of the Treasury}, url = {https://home.treasury.gov/news/press-releases/sm845}, language = {English}, urldate = {2021-04-06} } Treasury Sanctions Evil Corp, the Russia-Based Cybercriminal Group Behind Dridex Malware
Dridex
2019-09-09McAfeeThomas Roccia, Marc Rivero López, Chintan Shah
@online{roccia:20190909:evolution:baf3b6c, author = {Thomas Roccia and Marc Rivero López and Chintan Shah}, title = {{Evolution of Malware Sandbox Evasion Tactics – A Retrospective Study}}, date = {2019-09-09}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/}, language = {English}, urldate = {2020-08-30} } Evolution of Malware Sandbox Evasion Tactics – A Retrospective Study
Cutwail Dridex Dyre Kovter Locky Phorpiex Simda
2019-08-13AdalogicsDavid Korczynski
@online{korczynski:20190813:state:a4ad074, author = {David Korczynski}, title = {{The state of advanced code injections}}, date = {2019-08-13}, organization = {Adalogics}, url = {https://adalogics.com/blog/the-state-of-advanced-code-injections}, language = {English}, urldate = {2020-01-13} } The state of advanced code injections
Dridex Emotet Tinba
2019-07-12CrowdStrikeBrett Stone-Gross, Sergei Frankoff, Bex Hartley
@online{stonegross:20190712:bitpaymer:113a037, author = {Brett Stone-Gross and Sergei Frankoff and Bex Hartley}, title = {{BitPaymer Source Code Fork: Meet DoppelPaymer Ransomware and Dridex 2.0}}, date = {2019-07-12}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/}, language = {English}, urldate = {2020-04-25} } BitPaymer Source Code Fork: Meet DoppelPaymer Ransomware and Dridex 2.0
DoppelPaymer Dridex FriedEx
2019-05-14GovCERT.chGovCERT.ch
@online{govcertch:20190514:rise:8fd8ef4, author = {GovCERT.ch}, title = {{The Rise of Dridex and the Role of ESPs}}, date = {2019-05-14}, organization = {GovCERT.ch}, url = {https://www.govcert.admin.ch/blog/28/the-rise-of-dridex-and-the-role-of-esps}, language = {English}, urldate = {2020-01-09} } The Rise of Dridex and the Role of ESPs
Dridex
2018-12-18Trend MicroTrendmicro
@online{trendmicro:20181218:ursnif:cc5ce31, author = {Trendmicro}, title = {{URSNIF, EMOTET, DRIDEX and BitPaymer Gangs Linked by a Similar Loader}}, date = {2018-12-18}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/}, language = {English}, urldate = {2020-01-07} } URSNIF, EMOTET, DRIDEX and BitPaymer Gangs Linked by a Similar Loader
Dridex Emotet FriedEx ISFB
2018-01-26ESET ResearchMichal Poslušný
@online{poslun:20180126:friedex:3c3f46b, author = {Michal Poslušný}, title = {{FriedEx: BitPaymer ransomware the work of Dridex authors}}, date = {2018-01-26}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/}, language = {English}, urldate = {2019-11-14} } FriedEx: BitPaymer ransomware the work of Dridex authors
Dridex FriedEx
2018-01-12ProofpointProofpoint Staff
@online{staff:20180112:holiday:b4225b8, author = {Proofpoint Staff}, title = {{Holiday lull? Not so much}}, date = {2018-01-12}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much}, language = {English}, urldate = {2021-05-31} } Holiday lull? Not so much
Dridex Emotet GlobeImposter ISFB Necurs PandaBanker UrlZone NARWHAL SPIDER
2017-08-01Panda SecurityPanda Security
@techreport{security:20170801:malware:e92cd36, author = {Panda Security}, title = {{Malware Report: Dridex Version 4}}, date = {2017-08-01}, institution = {Panda Security}, url = {https://www.pandasecurity.com/mediacenter/src/uploads/2017/10/Informe_Dridex_Revisado_FINAL_EN-2.pdf}, language = {English}, urldate = {2020-04-14} } Malware Report: Dridex Version 4
Dridex
2017-07-25Github (viql)Johannes Bader
@online{bader:20170725:dridex:44f64d8, author = {Johannes Bader}, title = {{Dridex Loot}}, date = {2017-07-25}, organization = {Github (viql)}, url = {https://viql.github.io/dridex/}, language = {English}, urldate = {2020-01-07} } Dridex Loot
Dridex
2017-07-18ElasticAshkan Hosseini
@online{hosseini:20170718:ten:af036b3, author = {Ashkan Hosseini}, title = {{Ten process injection techniques: A technical survey of common and trending process injection techniques}}, date = {2017-07-18}, organization = {Elastic}, url = {https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process}, language = {English}, urldate = {2020-07-15} } Ten process injection techniques: A technical survey of common and trending process injection techniques
Cryakl CyberGate Dridex FinFisher RAT Locky
2017-05-15SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20170515:evolution:d0e74ea, author = {Counter Threat Unit ResearchTeam}, title = {{Evolution of the GOLD EVERGREEN Threat Group}}, date = {2017-05-15}, organization = {Secureworks}, url = {https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group}, language = {English}, urldate = {2021-05-28} } Evolution of the GOLD EVERGREEN Threat Group
CryptoLocker Dridex Dyre Gameover P2P Murofet TrickBot Zeus GOLD EVERGREEN
2017-02-28Security IntelligenceMagal Baz, Or Safran
@online{baz:20170228:dridexs:f72a5ec, author = {Magal Baz and Or Safran}, title = {{Dridex’s Cold War: Enter AtomBombing}}, date = {2017-02-28}, organization = {Security Intelligence}, url = {https://securityintelligence.com/dridexs-cold-war-enter-atombombing/}, language = {English}, urldate = {2019-12-16} } Dridex’s Cold War: Enter AtomBombing
Dridex
2017-01-26FlashpointFlashpoint
@online{flashpoint:20170126:dridex:2ca4920, author = {Flashpoint}, title = {{Dridex Banking Trojan Returns, Leverages New UAC Bypass Method}}, date = {2017-01-26}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog-dridex-banking-trojan-returns/}, language = {English}, urldate = {2020-01-08} } Dridex Banking Trojan Returns, Leverages New UAC Bypass Method
Dridex
2016-02-16SymantecDick O'Brien
@techreport{obrien:20160216:dridex:7abdc31, author = {Dick O'Brien}, title = {{Dridex: Tidal waves of spam pushing dangerous financial Trojan}}, date = {2016-02-16}, institution = {Symantec}, url = {https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/dridex-financial-trojan.pdf}, language = {English}, urldate = {2020-01-08} } Dridex: Tidal waves of spam pushing dangerous financial Trojan
Dridex
2015-11-10CERT.PLCERT.PL
@online{certpl:20151110:talking:d93cf24, author = {CERT.PL}, title = {{Talking to Dridex (part 0) – inside the dropper}}, date = {2015-11-10}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/talking-dridex-part-0-inside-the-dropper/}, language = {English}, urldate = {2020-01-06} } Talking to Dridex (part 0) – inside the dropper
Dridex
2015-10-26BluelivBlueliv
@techreport{blueliv:20151026:chasing:975ef1a, author = {Blueliv}, title = {{Chasing cybercrime: network insights of Dyre and Dridex Trojan bankers}}, date = {2015-10-26}, institution = {Blueliv}, url = {https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf}, language = {English}, urldate = {2020-01-13} } Chasing cybercrime: network insights of Dyre and Dridex Trojan bankers
Dridex Dyre
2015-10-15BitSightAnubisLabs
@techreport{anubislabs:20151015:dridex:4dafca8, author = {AnubisLabs}, title = {{Dridex: Chasing a botnet from the inside}}, date = {2015-10-15}, institution = {BitSight}, url = {https://cdn2.hubspot.net/hubfs/507516/ANB_MIR_Dridex_PRv7_final.pdf}, language = {English}, urldate = {2020-08-06} } Dridex: Chasing a botnet from the inside
Dridex
2015-10-13SecureworksBrett Stone-Gross
@online{stonegross:20151013:dridex:46d9a58, author = {Brett Stone-Gross}, title = {{Dridex (Bugat v5) Botnet Takeover Operation}}, date = {2015-10-13}, organization = {Secureworks}, url = {https://www.secureworks.com/research/dridex-bugat-v5-botnet-takeover-operation}, language = {English}, urldate = {2020-01-08} } Dridex (Bugat v5) Botnet Takeover Operation
Dridex Evil Corp

Credits: MISP Project