On Tuesday, Magal Baz, safety researcher at Trusteer IBM disclosed novel research, exposing the novel Dridex version 4, which is the latest version of the infamous fiscal Trojan in addition to its novel capabilities.
Dridex is ane of the nearly well-known Trojans that exhibits the typical demeanour of monitoring a victim's traffic to banking concern sites past times infiltrating victim PCs using macros embedded inwards Microsoft documents or via spider web injection attacks in addition to and then stealing online banking credentials in addition to fiscal data.
However, past times including AtomBombing capabilities, Dridex becomes the kickoff e'er malware sample to utilize such sophisticated code injection technique to evade detection.
What is "AtomBombing" Technique?
Code injection techniques past times previous versions of Dridex Trojan convey croak likewise mutual in addition to tardily to location past times antivirus in addition to other safety solutions.
But since the AtomBombing technique is a unlike approach to code injection that does non rely on easy-to-detect API calls used past times quondam Dridex versions, leveraging AtomBombing inwards the latest Dridex version made it hard for antiviruses to detect.
Initially spotted inwards Oct past times Tal Liberman from enSilo security firm, AtomBombing is a code injection technique that could let attackers to inject malicious code on every version of Microsoft's Windows OS, fifty-fifty Windows 10, inwards a agency that no existing anti-malware tools tin detect.
AtomBombing does non exploit whatever vulnerability but abuses the system-level Atom Tables, a characteristic of Windows that allows applications to shop information on strings, objects, in addition to other types of information to access on a regular basis.
An aggressor tin write malicious code into an atom tabular array in addition to fob legitimate applications into retrieving it from the tabular array to execute malicious actions on nearly whatever Windows operating organisation released inwards the past times xvi years.
Dridex Version iv Discovered In the Wild
According to IBM X-Force researchers, the Dridex banking Trojan lately underwent a major version upgrade, straightaway supporting AtomBombing.
But the malware writer alone went halfway which makes Dridex v4 unlike from other AtomBombing attacks — the attackers used "the AtomBombing technique for the writing of the payload, in addition to then used a unlike method to accomplish execution permissions, in addition to for the execution itself."
"The time period differs from the ane described inwards the AtomBombing technique. To larn the payload into an executable retentivity space, Dridex only calls NtProtectVirtualMemory from the injecting procedure to modify the retentivity where the payload is already written into RWX," X-Force researchers said.Since using an APC telephone telephone to the payload would convey been really suspicious that could live on detected in addition to stopped, Dridex v4 uses "the same GlobalGetAtomW method to piece GlobalGetAtomA, hooking it to execute the payload."
Researchers said the novel Dridex v4 is already inwards purpose inwards active campaigns against European banks, in addition to it's alone a affair of fourth dimension earlier hackers laid about targeting American fiscal institutions every bit well.
Antivirus software in addition to safety products tin straightaway implement their systems to rail in addition to preclude Dridex v4 attacks since the IBM's findings are available for all.
For a to a greater extent than detailed explanation in addition to technical working of the latest version of Dridex Trojan, you lot tin caput on to IBM's blog post.
