Editor’s note: While the detection opportunities and analysis on this page are still relevant, it has not been updated since 2021.
Previously, XLM also allowed code execution without being subjected to the scrutiny of the Microsoft Antimalware Scan Interface (AMSI), which made it easier for Dridex and other malware to use XLM to evade defenses. As of March 2021, Microsoft has added AMSI coverage for Excel 4.0 macros, enabling vendors to acquire insight into runtime execution. Ultimately, if your organization doesn’t have a business use for executing macros in your environment, it’s better to disable them altogether.
Beyond the initial delivery, one of the most common techniques we observed Dridex using throughout the year was DLL search order hijacking of various legitimate Windows executables. The Dridex operators don’t stick to a single Windows executable when doing search order hijacking, necessitating multiple detection analytics to catch this behavior. We also observed Dridex persisting as a scheduled task. In fact, Dridex’s place in our top 10 threats is due in no small part to scheduled tasks left over from incomplete remediation efforts. This pattern emphasizes the importance of cleaning up persistence when responding to threats.
While Dridex is a threat in and of itself, in 2020 we also observed multiple environments where Dridex led to the ransomware family DoppelPaymer—and we’ve observed the same pattern in early 2021. Similar to other “ransomware precursor” families in our top 10 such as TrickBot, Emotet, and Qbot, the threat of follow-on ransomware emphasizes the need for quick identification and remediation of Dridex in any environment. Given the long history of Dridex consistently evolving to combat modern-day security controls while maintaining the same means of payload delivery, the best way to protect your organization from Dridex is filtering emails at your mail gateways to prevent its delivery.