Dridex Banking Trojan Gains ‘AtomBombing’ Code Injection Ability to Evade Detection 2017
Security
researchers have discovered a new variant of Dridex – one of the most
nefarious banking Trojans actively targeting financial sector – with a
new, sophisticated code injection technique and evasive capabilities
called "AtomBombing."
On Tuesday, Magal Baz, security researcher at Trusteer IBM disclosed new research, exposing the new Dridex version 4, which is the latest version of the infamous financial Trojan and its new capabilities.
Dridex is one of the most well-known Trojans that exhibits the typical behavior of monitoring a victim's traffic to bank sites by infiltrating victim PCs using macros embedded in Microsoft documents or via web injection attacks and then stealing online banking credentials and financial data.
On Tuesday, Magal Baz, security researcher at Trusteer IBM disclosed new research, exposing the new Dridex version 4, which is the latest version of the infamous financial Trojan and its new capabilities.
Dridex is one of the most well-known Trojans that exhibits the typical behavior of monitoring a victim's traffic to bank sites by infiltrating victim PCs using macros embedded in Microsoft documents or via web injection attacks and then stealing online banking credentials and financial data.
However, by including AtomBombing capabilities, Dridex becomes the first ever malware sample to utilize such sophisticated code injection technique to evade detection.
What is "AtomBombing" Technique?
Code injection techniques by previous versions of Dridex Trojan have become too common and easy to spot by antivirus and other security solutions.
But since the AtomBombing technique is a different approach to code injection that does not rely on easy-to-detect API calls used by old Dridex versions, leveraging AtomBombing in the latest Dridex version made it difficult for antiviruses to detect.
Initially spotted in October by Tal Liberman from enSilo security firm, AtomBombing is a code injection technique that could allow attackers to inject malicious code on every version of Microsoft's Windows OS, even Windows 10, in a manner that no existing anti-malware tools can detect.
AtomBombing does not exploit any vulnerability but abuses the system-level Atom Tables, a feature of Windows that allows applications to store information on strings, objects, and other types of data to access on a regular basis.
An attacker can write malicious code into an atom table and trick legitimate applications into retrieving it from the table to execute malicious actions on nearly any Windows operating system released in the past 16 years.
Dridex Version 4 Discovered In the Wild:
According to IBM X-Force researchers, the Dridex banking Trojan recently underwent a major version upgrade, now supporting AtomBombing.
But the malware author only went halfway which makes Dridex v4 different from other AtomBombing attacks — the attackers used "the AtomBombing technique for the writing of the payload, then used a different method to achieve execution permissions, and for the execution itself."
"The flow differs from the one described in the AtomBombing technique. To get the payload into an executable memory space, Dridex simply calls NtProtectVirtualMemory from the injecting process to change the memory where the payload is already written into RWX," X-Force researchers said.Since using an APC call to the payload would have been very suspicious that could be detected and stopped, Dridex v4 uses "the same GlobalGetAtomW method to patch GlobalGetAtomA, hooking it to execute the payload."
Researchers said the new Dridex v4 is already in use in active campaigns against European banks, and it's only a matter of time before hackers begin targeting American financial institutions as well.
Antivirus software and security products can now implement their systems to track and prevent Dridex v4 attacks since the IBM's findings are available for all.
For a more detailed explanation and technical working of the latest version of Dridex Trojan, you can head on to IBM's blog post.
No comments: