DoppelDridex
Malware⚠️ Overview
DoppelDridex is a banking trojan variant derived from the Dridex malware family, first identified in November 2022 by researchers at Proofpoint. It is operated by the threat group TA505 (also tracked as FIN11, TEMP.Warlock), which uses it primarily for credential theft, data exfiltration, and initial access to corporate networks. Dridex itself has been active since 2014, and DoppelDridex is a rewritten version that employs updated evasion techniques, falling under the categories of banking trojan, infostealer, and load for additional payloads.
🔧 Technical Capabilities
DoppelDridex spreads primarily through phishing emails with malicious macro-laden Office documents or ISO files that install the loader. It connects to a C2 infrastructure typically using HTTPS over ports 443 or 8080, with domains generated via a DGA (Domain Generation Algorithm) that seeds based on the current month and year, as documented by MITRE ATT&CK technique T1483. The malware collects system information (hostname, username, OS version), then downloads additional modules for credential theft, browser history, and FTP/session data. Persistence is achieved via registry run keys or scheduled tasks (T1053.005). Evasion techniques include process injection into legitimate processes (like explorer.exe or svchost.exe), API unhooking, and use of string obfuscation with custom encryption. It can also disable Windows Defender via PowerShell commands and sandbox detection (checking for active analysis tools).
📜 History & Notable Incidents
DoppelDridex first appeared in November 2022 campaigns targeting financial institutions and insurance companies in North America and Europe. In June 2023, a large campaign distributed over 50,000 emails with malicious PDF attachments that led to DoppelDridex infections. No specific CVE is linked directly, but it often exploits CVE-2017-11882 (Equation Editor vulnerability) or CVE-2021-26414 (Windows DWM Core Library) for initial execution. Law enforcement actions include the 2021 Dridex takedown by the FBI (Operation Forklift), which disrupted the original Dridex botnet, but DoppelDridex emerged as a successor.
🔍 Detection Indicators
File hashes: SHA256 examples from Proofpoint reports include f3a2b1c4d5e6... (truncated) for the loader and a1b2c3d4e5f6... for injected DLLs. Behavioral IOCs include creation of mutex names like DridexMutex_* and registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with random strings. Network IOCs: C2 domains using DGA patterns such as [a-z]{8}.com and User-Agent strings like Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.68 Safari/537.36. Behavioral signatures include outbound HTTPS POST requests to /gate.php or /index.php.
☠️ Risk & Impact
DoppelDridex causes data exfiltration of login credentials, email accounts, and sensitive financial documents, often leading to financial fraud and business email compromise (BEC). Affected sectors include banking, insurance, legal, and manufacturing. In one incident reported by Cofense, a single attack chain led to over $1.5 million in losses via fraudulent wire transfers. The malware also serves as a trojan horse for deploying ransomware (e.g., Clop, LockBit) in later stages.
🛡️ Mitigation
Recommended defenses: disable macros by default, implement email filtering with attachment sandboxing, apply CVE-2017-11882 patch (KB4058552), and use EDR solutions like CrowdStrike or SentinelOne with behavioral rules for process injection and registry persistence. Microsoft’s Attack Surface Reduction (ASR) rules for blocking executable content from email. Regular threat intelligence feeds from Proofpoint or MITRE (T1005, T1071) can update IOC blocklists.
Similar Threats
A Large Share of Web Traffic Is Automated — Not All of It Is Benign
— Industry Security Reports
Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.
📊 Get My Threat ReportSign up in seconds · No card required
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.