We see these two families of code hitting networks globally every day.  In the case of Dridex it’s a malware as a service model which explains why payloads are so diverse.  Email is the common vector of attack related to invoices and similar socially engineered messages.  In the past week I’ve seen attacks with a hostile DOC or SCR attachment and also links to a remote website like a dropbox location.

In the case of an attachment it is common for malicious macros to exist within the document to then download a hostile DLL and perform other actions.  This can be complicated, such as obtaining a base64 encoded TXT file which is further obfuscated internally, PNG Ip checker downloader, and so on.  Use of macros is likely done as an effort to avoid detection as files with exploit code are much more easily detected.

A good deep dive into two common eCrime related campaigns is now available at https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf.