Dridex

Category: banking_trojan · Aliases: Dridex, Bugat v5, Cridex · Sample count (EMBER 2018): 59 · Enrichment: curated_sourced · Updated: 2026-06-09

Overview

Dridex is a prolific banking trojan that, per MITRE ATT&CK, first appeared in 2014. By December 2019 the US Treasury estimated Dridex had infected computers across hundreds of banks and financial institutions in over 40 countries, leading to more than $100 million in theft. Dridex was created from the source code of the Bugat banking trojan (also known as Cridex). It is distributed mainly through malicious email attachments, and its operators have also been linked to delivering ransomware.

Known aliases

Threat reports may refer to this family under multiple names:

MITRE ATT&CK Techniques

This family has been observed using the following ATT&CK techniques: T1185 T1056.004 T1055.012 T1021.002 T1071.001 T1547.001

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_DRIDEX {
    meta:
        description = "Detects Dridex (banking_trojan)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "dridex" ascii wide nocase
        $s2 = "dridex" ascii wide nocase
        $s3 = "bugat v5" ascii wide nocase
        $s4 = "cridex" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Dridex Activity
id: b38ef686caf0103866339452d3d1c4fb
status: experimental
description: Detects generic indicators of the dridex malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*dridex*"
            - "*dridex*"
            - "*bugat v5*"
            - "*cridex*"
    condition: selection
level: medium

References & External Analysis

Authoritative Advisory

CISA has published an advisory on this family: https://www.cisa.gov/news-events/alerts/2019/12/13/dridex-malware

Frequently Asked Questions

What is Dridex?

A prolific banking trojan, first seen in 2014, that steals banking credentials and financial information.

How much damage has Dridex caused?

By December 2019 the US Treasury estimated infections across hundreds of financial institutions in over 40 countries and more than $100 million in theft.

Where did Dridex come from?

It was built from the source code of the earlier Bugat banking trojan, also known as Cridex.

How is Dridex delivered?

Most often through phishing emails carrying malicious Office documents with macros.

Is Dridex linked to ransomware?

Its operators have been associated with delivering ransomware as a follow-on payload in some campaigns.

How can I reduce exposure to Dridex?

Disable macros from untrusted documents, be cautious with email attachments, use multi-factor authentication on financial accounts, and keep systems patched.

Where is the authoritative reference?

MITRE ATT&CK's Dridex entry (S0384), linked on this page.

Related Families (Category: banking_trojan)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/dridex.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.