Security researchers have discovered a new variant of Dridex – one of the most nefarious banking Trojans actively targeting financial sector – with a new, sophisticated code injection technique and evasive capabilities called “AtomBombing.”
On Tuesday, Magal Baz, security researcher at Trusteer IBM disclosed new research, exposing the new Dridex version 4, which is the latest version of the infamous financial Trojan and its new capabilities.
Dridex is one of the most well-known Trojans that exhibits the typical behavior of monitoring a victim’s traffic to bank sites by infiltrating victim PCs using macros embedded in Microsoft documents or via web injection attacks and then stealing online banking credentials and financial data.
However, by including AtomBombing capabilities, Dridex becomes the first ever malware sample to utilize such sophisticated code injection technique to evade detection.
What is “AtomBombing” Technique?
Code injection techniques by previous versions of Dridex Trojan have become too common and easy to spot by antivirus and other security solutions.
But since the AtomBombing technique is a different approach to code injection that does not rely on easy-to-detect API calls used by old Dridex versions, leveraging AtomBombing in the latest Dridex version made it difficult for antiviruses to detect.
Initially spotted in October by Tal Liberman from enSilo security firm, AtomBombing is a code injection technique that could allow attackers to inject malicious code on every version of Microsoft’s Windows OS, even Windows 10, in a manner that no existing anti-malware tools can detect.
AtomBombing does not exploit any vulnerability but abuses the system-level Atom Tables, a feature of Windows that allows applications to store information on strings, objects, and other types of data to access on a regular basis.
An attacker can write malicious code into an atom table and trick legitimate applications into retrieving it from the table to execute malicious actions on nearly any Windows operating system released in the past 16 years.
Dridex Version 4 Discovered In the Wild
According to IBM X-Force researchers, the Dridex banking Trojan recently underwent a major version upgrade, now supporting AtomBombing.
But the malware author only went halfway which makes Dridex v4 different from other AtomBombing attacks — the attackers used “the AtomBombing technique for the writing of the payload, then used a different method to achieve execution permissions, and for the execution itself.”
AtomBombing is a different approach to code injection that doesn’t rely on easy-to-spot API calls used by previous versions of Dridex.
The AtomBombing technique, first spotted in October 2016 by enSilo researchers, allows Dridex v4 to inject code sans the aforementioned API calls.
“The flow differs from the one described in the AtomBombing technique. To get the payload into an executable memory space, Dridex simply calls NtProtectVirtualMemory from the injecting process to change the memory where the payload is already written into RWX,” X-Force researchers said.
Since using an APC call to the payload would have been very suspicious that could be detected and stopped, Dridex v4 uses “the same GlobalGetAtomW method to patch GlobalGetAtomA, hooking it to execute the payload.”
“AtomBombing makes use of Windows’ atom tables and the native API NtQueueApcThread to copy a payload into a read-write memory space in the target process,” according to the report authors.
“It then uses NtSetContextThread to invoke a simple return-oriented programming chain that allocates read/write/execute memory, copies the payload into it and executes it. Finally, it restores the original context of the hijacked thread.”
Atom tables are a function of the Windows operating system that allows applications to store and access temporary data and to share data between applications.
An attacker can write malicious code into an atom table and force a legitimate program to retrieve it from the table, researchers describe.
What makes Dridex v4 different from other AtomBombing attacks is that attackers only use “the technique for writing the payload, then used a different method to achieve execution permissions, and for the execution itself,” according to co-authors of the X-Force report Magal Baz and Or Safran.
Where Dridex v4 differs is at the tail end of the AtomBombing technique where “Dridex simply calls NtProtectVirtualMemory from the injecting process to change the memory where the payload is already written into the read/write/execute (memory).”
That cues up Dridex to use the Windows asynchronous procedure to call GlobalGetAtomA, which executes the payload, X-Force said.
“The last stage is the execution of the payload. To avoid calling CreateRemoteThread, Dridex again uses APC.
Using an APC call to the payload itself would be very suspicious,” said researchers. Alternatively, Dridex v4 uses “the same GlobalGetAtomW method to patch GlobalGetAtomA, hooking it to execute the payload.”
X-Force said this specific implementation of AtomBombing is a first of its kind in the context of banking Trojans and designed to cloak the malware’s activities.
Other enhancements to Dridex v4 include a modified naming algorithm, enhanced encryption for its configuration and an updated persistence mechanism.
“The changes to Dridex’s code injection method are among the most significant enhancements in v4,” wrote researchers. “The adoption of a new injection technique shortly after its discovery demonstrates Dridex’s efforts to keep up with the times and the evolution of security controls.”
Over the years, cybercrimnals behind the different versions of the Dridex Trojan have been extremely persistent. While campaigns have fluctuated in volume, innovation into the malware has been consistent.
In January, researchers at Flashpoint said they spotted a new variant of the Dridex Trojan with a technique that can bypass Windows User Account Control (UAC).
In 2015, an older version of Dridex started using an evasion detection technique called AutoClose that involved phishing messages that contained macros-based attacks that did not execute until the malicious document was closed.
Researchers said the new Dridex v4 is already in use in active campaigns against European banks, and it’s only a matter of time before hackers begin targeting American financial institutions as well.
Antivirus software and security products can now implement their systems to track and prevent Dridex v4 attacks since the IBM’s findings are available for all.
For a more detailed explanation and technical working of the latest version of Dridex Trojan, you can head on to IBM’s blog post.