Jump to content

Dridex Banking Trojan Now Uses AtomBombing to Avoid Detection


WALLONN7

Recommended Posts

Dridex v4 is already used in campaigns against UK banks

http://i1-news.softpedia-static.com/images/news2/dridex-banking-trojan-now-uses-atombombing-to-avoid-detection-513456-2.jpg 

Dridex v4 is making a comeback with new capabilities that make it even harder to detect. 

Dridex Trojan, one of the most destructive banking Trojans to hit the Internet, has just been given an update with a new injection method that makes it even harder to detect, taking advantage of AtomBomb, IBM X-Force reports.

AtomBombing, unlike some other common injection techniques used in the wild, is meant to make evading security software a breeze.

"In this release, we noted that special attention was given to dodging antivirus products and hindering research by adopting a series of enhanced anti-research and anti-AV capabilities," reads the new research.

This new Dridex version doesn't rely on AtomBombing entirely, using only a part of the exploit for its purpose. It seems that the malware authors used the AtomBombing technique for the writing of the payload, before switching to a different method to achieve execution permission, as well as for the execution itself.

More changes to Dridex

The addition of AtomBomb wasn't the only change to Dridex. In fact, developers also worked on a major upgrade to the way encryption is configured. The upgrade includes implementing a modified naming algorithm, a new persistence mechanism and a few additional enhancements.

This new update isn't necessarily surprising for researchers. "The release of a major version upgrade is a big deal for any software, and the same goes for malware. The significance of this upgrade is that Dridex continues to evolve in sophistication, investing in further efforts to evade security and enhance its capabilities to enable financial fraud," X-Force writes.

The new Dridex v4 is currently being used against British banks, and estimates indicate that the attacks may sometime soon move towards the United States.

AtomBombing was first spotted by enSilo back in October when the security firm warned that attackers were using Windows' atom tables, which made the code injection technique affect all version of Windows. It works by using code injections to add malicious code into legitimate processes, which makes the malware harder to detect by security products.

 

Source

Link to comment
Share on other sites


  • Replies 1
  • Views 362
  • Created
  • Last Reply

"This New Malware Will Soon Start “AtomBombing” U.S. Banks"

 

A new version of Dridex banking malware was detected and it is targeting European banks and it is expected to be used against the U.S. financial institutions in upcoming months. The Dridex 4 incorporates normal usual range of software improvements which we come to expect from this professionally maintained malware. It is also worth noting that it is the first major malware which adopted the new code injection technique called ‘AtomBombing’.

 

The AtomBombing was explained by researchers at enSilo back in October 2016. It is named so, because of the main use of it is Windows’ atom tables; read/writable stores of data which can be used by multiple applications. The Malicious code can also be written to atom tables, and then it is retrieved and injected into an executable memory space.

 

The process mentioned above does not require any exploit against Windows since it just makes use of a feature provided by the Windows. Finally, it is just a new code injection technique which is likely to by-pass the existing AV and NGAV detections.

 

Dridex 4 was found by the IBM X-Force in the early February. It doesn’t implement AtomBombing exactly as described by the enSilo. “In our analysis of new Dridex v4 release,” says the IBM, “we found that the authors of this malware have devised their own injection method, by using the first step of the AtomBombing technique. They have used the atom tables and the NtQueueAPCThread to copy a payload and an import table into RW memory space in target process. But they only went halfway – they used AtomBombing technique for writing of the final payload, then used a completely different method to achieve the execution permissions, and for the execution itself.”

 

Since enSilo’s original description of the technique, malware defenders will have been developing means to detect it. Dridex 4 hopes to bypass these current detections by using a modified method of AtomBombing.

 

Link to comment
Share on other sites


Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...