A new version of Dridex banking malware was detected and it is targeting European banks and it is expected to be used against the U.S. financial institutions in upcoming months. The Dridex 4 incorporates normal usual range of software improvements which we come to expect from this professionally maintained malware. It is also worth noting that it is the first major malware which adopted the new code injection technique called ‘AtomBombing’.
The AtomBombing was explained by researchers at enSilo back in October 2016. It is named so, because of the main use of it is Windows’ atom tables; read/writable stores of data which can be used by multiple applications. The Malicious code can also be written to atom tables, and then it is retrieved and injected into an executable memory space.
The process mentioned above does not require any exploit against Windows since it just makes use of a feature provided by the Windows. Finally, it is just a new code injection technique which is likely to by-pass the existing AV and NGAV detections.
Dridex 4 was found by the IBM X-Force in the early February. It doesn’t implement AtomBombing exactly as described by the enSilo. “In our analysis of new Dridex v4 release,” says the IBM, “we found that the authors of this malware have devised their own injection method, by using the first step of the AtomBombing technique. They have used the atom tables and the NtQueueAPCThread to copy a payload and an import table into RW memory space in target process. But they only went halfway – they used AtomBombing technique for writing of the final payload, then used a completely different method to achieve the execution permissions, and for the execution itself.”
Since enSilo’s original description of the technique, malware defenders will have been developing means to detect it. Dridex 4 hopes to bypass these current detections by using a modified method of AtomBombing.
Image Credit: Hackread