The computer hackers behind the famous Dridex banking Trojan have updated it to include the AtomBombing technique which features advanced stealth protection.
Dridex Now With AtomBombing
Computer security experts from IBM X-Force discovered an updated version of the Dridex banking Trojan which has been used in attack campaigns against banks in the UK. The newest addition to the malware is the new injection method known as AtomBombing. The technique relies on using non-ordinary API calls and makes use of the Microsoft Windows’s built-in atom tables to copy the dangerous payload to a read-write memory space occupied in a predefined target process. This evades the typical code injections that are monitored by all security solutions.
Atom tables are a built-in function in the operating system which allows programs to store and access temporary data which can be shared between applications. The experts conclude that a criminal can write code inserted into one such table and then make a legitimate program to retrieve and execute it. The new Dridex version actually exhibits an interesting method by first writing the payload by itself and then using different methods for elevating the needed permissions for its execution. According to the researchers who discovered the threat this is first of its kind approach when it comes to banking Trojans. The complicated execution path makes the virus very hard to discover if its specific signatures are not added to the database of the anti-malware vendors. Dridex also now features a modified naming algorithm, reworked encryption settings and improved persistence mechanisms.
We would like to remind our readers that the Dridex malware is one of the most popular banking Trojans and as such it is used by a lot of hacker collectives around the world. As it is now updated with such features, we expect to see another surge of attack campaigns. The virus has seen several major iterations since its first discovery, this latest one being the fourth. The current campaign is aimed at only a select few of American banks. We suspect that the hacker collective is currently profiling possible victims before launching a greater campaign against other financial institutions as well.
As always we recommend that all end users and company employees use a quality anti-malware tool to protect their computers from possible infections. Existing viruses can easily be removed only with a few mouse clicks.