article featured image


The Dridex malware is a banking trojan that was originally designed to steal victims’ online banking credentials but has since evolved into a loader that downloads various modules that can be used to perform various malicious actions, such as installing additional payloads, spreading to other devices, taking screenshots, and more.

Dridex infections have been related to ransomware attacks carried out by activities linked to the Evil Corp hacker gang.

What Happened?

Cryptolaemus, a cybersecurity research firm, has warned that the Log4j vulnerability is currently being used to infect Windows devices with the Dridex Trojan and Linux devices with Meterpreter.

According to Joseph Roosen, threat actors harness the Log4j RMI (Remote Method Invocation) exploit variant to force susceptible devices to load and execute a Java class from an attacker-controlled remote server.

As explained by BleepingComputer, when the Java class is launched, it will first try to download and launch an HTA file from multiple URLs, which will install the Dridex trojan. If the Windows instructions cannot be executed, it will assume the device is running Linux/Unix and will download and run a Python script to install Meterpreter.

The Java class on Windows will download and open an HTA file, resulting in the production of a VBS file in the C:ProgramData folder. This VBS program serves as Dridex’s principal downloader and has previously been seen in Dridex email campaigns.

When run, the VBS code will check several environment variables to see if the user is a member of a Windows domain. If the user is a domain member, the VBS code will download the Dridex DLL and run it with Rundll32.exe.


Did you enjoy this article? Follow us on LinkedInTwitterFacebookYoutube, or Instagram to keep up to date with everything we post!

Author Profile

Dora Tudor

Cyber Security Enthusiast

linkedin icon

Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.

Leave a Reply

Your email address will not be published. Required fields are marked *