Home / malware
First posted on 02 March 2017.
There are no other names known for Dridex.
Security researchers at IBM have discovered a new version of the Dridex banking Trojan that takes advantage of a recently disclosed code injection technique called AtomBombing to infect systems.
The modified version of the malware is already being used in online banking attacks across Europe and poses a fresh threat to organizations because it is harder to detect than previous versions.
AtomBombing is a technique that security vendor enSilo demonstrated last October for injecting malicious code into the "atom tables" that almost all versions of Windows uses to store certain application data. It is a variation of typical code injection attacks that take advantage of input validation errors to insert and to execute malicious code in a legitimate process or application. Attackers have long used such code injection tactics to try and bypass security controls and carry out malicious activity without being detected.
What enSilo demonstrated was a method to sneak malicious code into Windows atom tables without being detected by the usual security mechanisms and then to get applications to retrieve and execute the code.
enSilo has stressed that its approach does not exploit any vulnerability in Windows and instead simply takes advantage of how the operating system functions. Since the technique does not rely on flawed or broken code, there is little that Microsoft can do to patch against it, the company has previously noted.
The new version of Dridex (Dridex v4) is the first malware that uses the AtomBombing process to try and infect systems. It uses atom tables to copy its payload and some other related data into the memory space of a target process. But then, in a departure from the rest of enSilo's approach, the new version of Dridex uses a different method to ensure it gets executed.
The code injection feature is one of several tweaks, including new encryption and persistence mechanisms, that the authors of Dridex have made available with the latest version of the malware. But it is the most important one because it allows Dridex a way to propagate in an infected system in a minimally observable manner, an alert on the new malware noted.
AtomBombing takes advantage of Microsoft Windows' built-in atom tables that allow specific API calls to inject code into the read-write memory space of a targeted process, he says. This is a legitimate part of the operating system performing as designed and cannot be patched against.
Last update 02 March 2017