Dridex Trojan updated with AtomBombing evasion techniques

A major upgrade to the malware will potentially cause even more headaches for European banks.
Written by Charlie Osborne, Contributing Writer

The Dridex Trojan has received an upgrade which equips the malware with a new, sophisticated injection technique and evasive capabilities known as AtomBombing.

On Tuesday, IBM X-Force researchers disclosed new research which has exposed the latest version of Dridex and its new abilities.

The latest version of the financial Trojan, version four, was discovered several weeks ago. IBM says the discovery of AtomBombing included in the malware is the first example of banking malware utilizing the sophisticated coding.

IBM says that the discovery is significant as it is likely other cybercriminals will adapt their own Trojan codes to become just as dangerous in the future, and banks must keep up with these evolving threats to ensure their customers are as safe as possible when using online systems.

Dridex is one of the most well-known Trojans to hit European financial institutions. The Trojan often infiltrates victim PCs through malicious macros embedded in Microsoft documents or through web injection attacks, and once a system is compromised, steals online banking credentials and financial data.

Dridex was first spotted in 2014 after spreading through a spam campaign in the United Kingdom.

AtomBombing, however, was first disclosed in October last year by security firm enSilo. Cyberattackers can take advantage of Window's underlying atom tables on all versions of the operating system by forcing legitimate programs to retrieve malicious code written into an atom table.

The creators of Dridex have chosen to use only a part of this exploit. The malware copies a payload into a read-write (RW) memory space in the target process but uses a different method to write and execute the payload.

Rather than risk suspicious calls to Windows APIs, Dridex calls a virtual memory process to change the memory already written into the process.

"It's a simple fix and a small compromise for the sake of the overall technique, designed to avoid making suspicious API calls, which are usually monitored by security software," IBM notes.

See also: Dridex Trojan targets UK banks, avoids two factor authentication checks

The researchers say that Dridex's developers have also improved the Trojan's configuration encryption and persistence mechanisms.

Dridex V.4 is already out and actively attacking UK banks through redirection schemes and the malware's hVNC RAT capabilities, which appear to have replaced the Trojan's web injection methods which were once the most common ways used to target potential victims.

"The release of a major version upgrade is a big deal for any software, and the same goes for malware," IBM says. "The significance of this upgrade is that Dridex continues to evolve in sophistication, investing in further efforts to evade security and enhance its capabilities to enable financial fraud."

Cybersecurity reads which belong on every bookshelf

A 5-step plan for overhauling an organization's cybersecurity:

Editorial standards