Dridex 4.0 hides from researchers' gaze with AtomBombing technique

News by Max Metzger

IBM researchers have discovered that the latest version of Dridex uses an AtomBombing technique to elude researchers.

Dridex version 4.0 has arrived and has been updated to better elude the watchful eye of security researchers.

IBM reported on 28 February that it had  discovered the first samples of Dridex's newest iteration. The samples were reportedly found targeting the customers of UK banks.

Its most notable new feature is the addition of an AtomBombing technique, which stores pieces of malicious code in Atom tables, allowing Dridex a stealthier infection.  Atom tables are used by Windows to allow strings to be accessed by applications other than those with created the string. Using this technique allows 4.0 to not use the Windows API calls that researchers so often watch to spot for Dridex infections.

Jerome Segura, malware intelligence analyst at Malwarebytes, told SC Media UK that "Dridex seemingly is the first piece of malware to leverage the AtomBombing technique first exposed in late 2016. This is a novel approach for loading malicious code without relying on the typical APIs and techniques that security products commonly watch for.”

AtomBombing was first revealed as a technique by researchers at enSilo in late 2016, and the Dridex authors have simply adapted the exploit to make it their own.

The interesting thing here, said Segura, "is that the authors of Dridex 4.0 learned from this new technique but also adapted it to their needs. For instance, they did not simply use it as is (which would also have been a giveaway) but altered it to make it even more effective."

When enSilo first wrote about the technique, the company said that windows couldn't fix it without rewriting parts of Windows OS.

Dridex is a banking trojan which harvests credentials, mainly from financial organisations.  Its typical attack vector is phishing emails carrying Word or Excel documents loaded with infected macros.

The malware uses HTML injections to insert malicious code into otherwise legitimate banking websites. Once the infected user visits those websites, say an online banking portal, and enters their credentials, Dridex sends the entered information back to its master.

The UK's National Crime Agency claimed in 2015 that Dridex had been implicated in the theft of up to £20 million in the UK alone.

It has undergone several iterations since its first emergence in late 2014. As malware authors battle it out for more customers, the resulting competition forces them to improve their products and offer more value to customers.

Last year, ForcePoint researchers saw Dridex expand itself to target cryptocurrency. Jonathan Sander VP of product strategy at Lieberman Software told SC at the time that “many people picture a hooded man with Cheeto-stained fingers and a messy desk in a basement when they think of the online enemy. In truth, today the bad guys would fit right into the Dilbert cartoons. These are professionals developing software in offices with paychecks, benefits and normal lives. It's their organised crime bosses that are really different."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews