Developers behind Dridex have launched a major new version of the banking trojan, one that employs a unique method for injecting malicious code based on a novel technique called AtomBombing. And European banks are already feeling the heat from the upgraded malware, which has been observed attacking in the wild, according to a new report from IBM's X-Force threat intelligence team.
AtomBombing was first disclosed in October 2016 by enSilo, and while its name doesn't exactly convey subtlety and finesse, it is actually a very sneaky technique for injecting code from one process to another. It is designed to eliminate the use of certain telltale application program interface (API) calls (VirtualAllocEx, WriteProcessMemory and CreateRemoteThread) that otherwise might alert detection solutions and network defenders who watch out for these kind of malicious indicators.
In a blog post on Tuesday, IBM reported that this newest iteration of Dridex, recognized as version 4, is believed to be the first banking Trojan to leverage the AtomBombing method for injecting code. “Keep in mind, it's being used by one of the top cybergangs in the cybercrime arena, and Dridex is known for its sophistication and focus on business banking accounts,” said Magal Baz, malware researcher with IBM Security, in an email interview with SC Media. “This technique... can be adopted by, and adapted to, any Windows malware at all."
“Also, bear in mind that many times malicious actors copy code and techniques from one another, and we believe we will see more of this in the near future,” Baz continued.
Dridex v4 has already been observed in the wild targeting primarily UK-based banks, attempting to hit them with hidden virtual network computing-based RAT attacks and redirection attacks, the IBM report states.
Instead of using the aforementioned API calls to execute the three-stage process of remote code injection, AtomBombing instead allows malware to make use of Windows' atom tables and the native API NtQueueApcThread “to copy a payload into a read-write (RW) memory space in the target process," IBM explains in its blog post. "It then uses NtSetContextThread to invoke a simple return-oriented programming (ROP) chain that allocates read/write/execute (RWX) memory, copies the payload into it and executes it. Finally, it restores the original context of the hijacked thread."
However, Dridex does not borrow the full AtomBombing technique from start to finish: it executes the first step to write the payload, but then uses its own original method to achieve execution permissions and launch the actual execution, IBM notes.
Dridex v4 was also upgraded with enhanced configuration encryption, a modified naming algorithm and an updated persistence mechanism.
"The release of a major version upgrade is a big deal for any software, and the same goes for malware," reads the IBM blog post. "The significance of this upgrade is that Dridex continues to evolve in sophistication, investing in further efforts to evade security and enhance its capabilities to enable financial fraud."