Dridex v4, the dreaded malware has been improved with AtomBombing technique

Pierluigi Paganini March 01, 2017

Malware author are using Dridex v4 in the wild, an improved version of the Trojan that includes a new injection method known as AtomBombing.

According to researchers with IBM X-Force, vxers have improved the Dridex banking Trojan adding a new injection method for evading detection, the technique is known as AtomBombing.

The researchers have spotted a new sample of the threat, so called Dridex v4, earlier this month. The malware was used in campaigns against banks in UK and experts believe it will be used to target financial institution worldwide very soon.

“IBM X-Force discovered that Dridex, one of the most nefarious banking Trojans active in the financial cybercrime arena, recently underwent a major version upgrade that is already active in online banking attacks in Europe.” reads the analysis published by IBM.

“In this release, we noted that special attention was given to dodging antivirus (AV) products and hindering research by adopting a series of enhanced anti-research and anti-AV capabilities. The changes to Dridex’s code injection method are among the most significant enhancements in v4. They allow Dridex to propagate in the infected endpoint with minimal calls to marked API functions.” 

The Dridex v4 maintained the capabilities observed in a previous release, it is a malware focused on banking activities, it monitors the victim’s online banking operations and steals login and account information.

The code injection method was significantly improved because previous versions have become too easy to detect due to the use of well known API calls, that’s why the authors leverage AtomBombing in a new version of Dridex.

The AtomBombing is not a novelty in the threat landscape, in October, security experts from security firm ENSILO have devised the method to inject malicious code in Windows operating system that could not be detected by modern anti-malware tools.

The Atom Tables are data structures used by the operating system to store strings with an identifier to access them, they could have a global or local scope.

“AtomBombing makes use of Windows’ atom tables and the native API NtQueueApcThread to copy a payload into a read-write memory space in the target process,” according to the report authors. “It then uses NtSetContextThread to invoke a simple return-oriented programming chain that allocates read/write/execute memory, copies the payload into it and executes it. Finally, it restores the original context of the hijacked thread.”

“An atom table is a system-defined table that stores strings and corresponding identifiers. An application places a string in an atom table and receives a 16-bit integer, called an atom, that can be used to access the string. A string that has been placed in an atom table is called an atom name.” reads a description published by Microsoft on the Atom Tables.

“The system provides a number of atom tables. Each atom table serves a different purpose. For example, Dynamic Data Exchange (DDE) applications use the global atom table to share item-name and topic-name strings with other applications.”

The attackers can then write malicious code into an atom table and force a legitimate application to retrieve it from the table. Once the code is retrieved by the legitimate application, it is possible to manipulate it triggering the execution of the malicious code.

Back to Dridex v4, the authors leverage on the AtomBombing technique to hide the malicious payload in the Atom Tables.

“In our analysis of the new Dridex v4 release, we discovered that the malware’s authors have devised their own injection method, using the first step of the AtomBombing technique. They use the atom tables and NtQueueAPCThread to copy a payload and an import table into a RW memory space in the target process. But they only went halfway — they used the AtomBombing technique for the writing of the payload, then used a different method to achieve execution permissions, and for the execution itself.” reads the analysis shared by IBM.

This implementation of the AtomBombing technique is unique for banking malware coding, and it isn’t the only one for Dridex v4.

Other improvements include the enhancement to the encryption for its configuration, a modified naming algorithm, and an updated mechanism to gain persistence on the infected machine.

The evolution of the Dridex Trojan continues, last time we read about this threat was in January when researchers at Flashpoint discovered a new variant leveraging a new tactic to bypass the UAC (User Account Control).

Stay tuned …

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Dridex v4,  banking trojan)

you might also like

leave a comment