Monday, 6 March 2017

Dridex Trojan - First to integrate Atom-Bombing

The Dridex, the most nefarious banking Trojans actively targeting financial sector has received an upgrade which equips the malware with a new sophisticated injection technique and evasive capabilities known as "Atom-Bombing"

On Tuesday, Magal Baz, security researcher at Trusteer IBM disclosed new research, exposing the new Dridex version 4, which is the latest version of the infamous financial Trojan and its new capabilities.


Dridex is one of the most well-known Trojans that exhibits the typical behavior of monitoring a victim's traffic to bank sites by infiltrating victim PCs using macros embedded in Microsoft documents or via web injection attacks and then stealing online banking credentials and financial data.

One of the lesser known things about computer viruses is the fact that malware is very similar to normal software, often going through the same development cycles and receiving constant updates. While most malware operators strive to keep as much of their source code and operational details hidden, the Dridex crew has always embedded the malware’s version number in its source, which in turn has permitted researchers to easily track its evolution. 

However, by including Atom-Bombing capabilities, Dridex becomes the first ever malware sample to utilize such sophisticated code injection technique to evade detection. As with previous campaigns, Dridex exhibits typical behavior of monitoring a victim’s traffic to bank sites and stealing login and account information. The biggest change is tied to Dridex v4’s code injection method.



Know more about "Atom-Bombing" Technique:


Code injection techniques by previous versions of Dridex Trojan have become too common and easy to spot by antivirus and other security solutions.

But since the Atom-Bombing technique is a different approach to code injection that does not rely on easy-to-detect API calls used by old Dridex versions, leveraging Atom-Bombing in the latest Dridex version made it difficult for antiviruses to detect.

Initially spotted in October by enSilo researchers, Atom-Bombing is a code injection technique that could allow attackers to inject malicious code on every version of Microsoft's Windows OS, even Windows 10, in a manner that no existing anti-malware tools can detect. Atom-Bombing does not exploit any vulnerability but abuses the system-level Atom Tables, a feature of Windows that allows applications to store information on strings, objects and other types of data to access on a regular basis.

An attacker can write malicious code into an atom table and trick legitimate applications into retrieving it from the table to execute malicious actions on nearly any Windows operating system released in the past 16 years.

What makes Dridex v4 different from other Atom-Bombing attacks is that attackers only use “The technique for writing the payload, then used a different method to achieve execution permissions, and for the execution itself,” according to co-authors of the X-Force report Magal Baz and Or Safran.


"Atom-Bombing makes use of Windows’ atom tables and the native API NtQueueApcThread to copy a payload into a read-write memory space in the target process. It then uses NtSetContextThread to invoke a simple return-oriented programming chain that allocates read/write/execute memory, copies the payload into it and executes it. Finally, it restores the original context of the hijacked thread.

Dridex simply calls NtProtectVirtualMemory from the injecting process to change the memory where the payload is already written into the read/write/execute (memory). That cues up Dridex to use the Windows asynchronous procedure to call GlobalGetAtomA, which executes the payload.

The last stage is the execution of the payload. To avoid calling CreateRemoteThread, Dridex again uses APC. Using an APC call to the payload itself would be very suspicious. Alternatively, Dridex v4 uses “the same GlobalGetAtomW method to patch GlobalGetAtomA, hooking it to execute the payload." said the researchers.

Over the years, cybercriminals behind the different versions of the Dridex Trojan have been extremely persistent. While campaigns have fluctuated in volume, innovation into the malware has been consistent. In January, researchers at Flashpoint said they spotted a new variant of the Dridex Trojan with a technique that can bypass Windows User Account Control (UAC). In 2015, an older version of Dridex started using an evasion detection technique called AutoClose that involved phishing messages that contained macros-based attacks that did not execute until the malicious document was closed.

No comments: