New Version Of Dridex Banking Trojan Uses ‘AtomBombing’ To Infect Systems

It’s the first malware to use a newly disclosed code-injection method to break into to Windows systems

Security researchers at IBM have discovered a new version of the Dridex banking Trojan that takes advantage of a recently disclosed code injection technique called AtomBombing to infect systems.

The modified version of the malware is already being used in online banking attacks across Europe and poses a fresh threat to organizations because it is harder to detect than previous versions.

“The new code injection method shuffles things up on detection mechanisms,” says Limor Kessem, executive security advisor at IBM Security. “It means that unless adapted protection layers are added to endpoints, it's going to be much harder to detect what Dridex does once its deployment flow starts rolling,” Kessem says.

AtomBombing is a technique that security vendor enSilo demonstrated last October for injecting malicious code into the “atom tables” that almost all versions of Windows uses to store certain application data. It is a variation of typical code injection attacks that take advantage of input validation errors to insert and to execute malicious code in a legitimate process or application. Attackers have long used such code injection tactics to try and bypass security controls and carry out malicious activity without being detected.

What enSilo demonstrated was a method to sneak malicious code into Windows atom tables without being detected by the usual security mechanisms and then to get applications to retrieve and execute the code.

enSilo has stressed that its approach does not exploit any vulnerability in Windows and instead simply takes advantage of how the operating system functions. Since the technique does not rely on flawed or broken code, there is little that Microsoft can do to patch against it, the company has previously noted.

The new version of Dridex (Dridex v4) is the first malware that uses the AtomBombing process to try and infect systems. It uses atom tables to copy its payload and some other related data into the memory space of a target process. But then, in a departure from the rest of enSilo’s approach, the new version of Dridex uses a different method to ensure it gets executed.

“From [previous] experience with Dridex, its authors favor writing their own code, using their own ideas,” Kessem says. In this case, since a lot of details about the AtomBombing technique is already out there, the authors of Dridex probably felt it was safer to put a twist on it, he said. “Also, many times developers who know the code most intimately choose the features that work best with it, or that will suit future development plans.”

The code injection feature is one of several tweaks, including new encryption and persistence mechanisms, that the authors of Dridex have made available with the latest version of the malware.  But it is the most important one because it allows Dridex a way to propagate in an infected system in a minimally observable manner, an alert on the new malware noted.

In a statement, a Microsoft spokeswoman said for malware like Dridex to be able to use code-injection techniques, the user’s system needs to have already been compromised. “To help avoid malware infection, we encourage our customers to practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers.”

Tal Liberman, a security researcher at enSilo, says it is no surprise at all that malware authors are attempting to use the AtomBombing method. “I’m actually surprised that it took so long for something like this to surface,” he says.

Typically, when 0-day vulnerabilities are disclosed, attackers try to use them as soon as possible, before software vendors roll out patches. “This pattern holds true for new injection techniques such as AtomBombing,” he says. In fact, others have likely used the technique already and the latest version of Dridex is only the first to be detected using it, he says.

AtomBombing takes advantage of Microsoft Windows' built-in atom tables that allow specific API calls to inject code into the read-write memory space of a targeted process, he says. This is a legitimate part of the operating system performing as designed and cannot be patched against, Liberman says.

However, average security products can block most known code injection techniques. When new techniques like AtomBombing are used, the products need to be updated to neutralize that specific technique, he says.

Related stories:


Recommended Reading: