Dridex: First banking Trojan with AtomBombing to better evade detection

Oh goody, Dridex v4 includes an AtomBombing technique upgrade so the malware is even better at evading detection.

malware threat hack hacked bug cyberthreat
Credit: Thinkstock

The Dridex Trojan, one of the most destructive banking Trojans, has been upgraded with a new injection method so the malware is even better at evading detection.

The newest version of Dridex, v4, is now the first banking Trojan to take advantage of AtomBombing, according to report by IBM X-Force. Unlike some of the more common code injection techniques, AtomBombing is meant to evade security solutions. Once one organized cybercrime gang successfully pulls off a slick trick, other cyber thugs are expected to adopt the method.

“In this release,” the researchers wrote, “we noted that special attention was given to dodging antivirus (AV) products and hindering research by adopting a series of enhanced anti-research and anti-AV capabilities.”

When AtomBombing was first spotted by enSilo in October, the security firm warned that attackers were using Windows’ atom tables; the code injection technique affected all versions of Windows. The company wrote, “Attackers use code injection to add malicious code into legitimate processes, making it easier to bypass security products, hide from the user, and extract sensitive information that would otherwise be unattainable.”

The newest version of Dridex doesn’t rely entirely on AtomBombing and only uses a part of the exploit. IBM X-Force researchers explained that in Dridex v4, the malware authors “used the AtomBombing technique for the writing of the payload, then used a different method to achieve execution permissions, and for the execution itself.”

The upgraded malware uses Windows’ atom table to load malicious code into the read-write-execute (RWX) memory, but avoids suspicious calls to Windows API functions to avoid AtomBombing detection. The changes in the code injection method “allow Dridex to propagate in the infected endpoint with minimal calls to marked API functions.”

The addition of AtomBombing to Dridex was not the only change. The naming algorithm was modified to better prevent detection and the malware’s “invisible” persistence mechanism was abandoned in favor of a DLL-hijacking technique. The malware authors also “significantly upgraded the cryptographic protection for the configuration.” Better encryption means attackers will be able to better protect details about attacks and targeted bank URLs that are in the configuration.

“It is not surprising to see a new major version released from this gang’s developers,” X-Force wrote. “The release of a major version upgrade is a big deal for any software, and the same goes for malware. The significance of this upgrade is that Dridex continues to evolve in sophistication, investing in further efforts to evade security and enhance its capabilities to enable financial fraud.”

In UK, but coming to US bank near you soon?

Right now, Dridex v4 is being used in campaigns which target UK banks; at some point, it is highly likely that US banks will also end up being targeted.

IBM X-Force concluded:

The adoption of a new injection technique shortly after its discovery demonstrates Dridex’s efforts to keep up with the times and the evolution of security controls. Although they relied on a publicized method, Dridex’s developers created their own version of it, a choice that is consistent with their usual preference to write proprietary code schemes for Dridex, as they did for its binary configuration format, for example.

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
Fix Windows 10 problems with these free Microsoft tools
Shop Tech Products at Amazon