{"id":6820,"date":"2017-03-01T10:30:28","date_gmt":"2017-03-01T18:30:28","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/03\/01\/news-611\/"},"modified":"2017-03-01T10:30:28","modified_gmt":"2017-03-01T18:30:28","slug":"news-611","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/03\/01\/news-611\/","title":{"rendered":"Dridex: First banking Trojan with AtomBombing to better evade detection"},"content":{"rendered":"<p><img decoding=\"async\" src=\"http:\/\/zapt3.staticworld.net\/images\/article\/2015\/09\/malware-threat-hack-hacked-bug-cyberthreat-100613859-primary.idge.jpg\"\/><\/p>\n<p><strong>Credit to Author: Darlene Storm| Date: Wed, 01 Mar 2017 07:38:00 -0800<\/strong><\/p>\n<p>The Dridex Trojan, one of the most destructive banking Trojans, has been upgraded with a new injection method so the malware is even better at evading detection.<\/p>\n<p>The newest version of Dridex, v4, is now the first banking Trojan to take advantage of AtomBombing, according to <a href=\"https:\/\/securityintelligence.com\/dridexs-cold-war-enter-atombombing\/\" target=\"_blank\">report<\/a> by IBM X-Force. Unlike some of the more common code injection techniques, AtomBombing is meant to evade security solutions. Once one organized cybercrime gang successfully pulls off a slick trick, other cyber thugs are expected to adopt the method.<\/p>\n<p>\u201cIn this release,\u201d the researchers wrote, \u201cwe noted that special attention was given to dodging antivirus (AV) products and hindering research by adopting a series of enhanced anti-research and anti-AV capabilities.\u201d<\/p>\n<p>When <a href=\"http:\/\/blog.ensilo.com\/atombombing-a-code-injection-that-bypasses-current-security-solutions\" target=\"_blank\">AtomBombing<\/a> was first spotted by enSilo in October, the security firm warned that attackers were using Windows\u2019 atom tables; the code injection technique affected all versions of Windows. The company wrote, \u201cAttackers use code injection to add malicious code into legitimate processes, making it easier to bypass security products, hide from the user, and extract sensitive information that would otherwise be unattainable.\u201d<\/p>\n<p>The newest version of Dridex doesn\u2019t rely entirely on AtomBombing and only uses a part of the exploit. IBM X-Force researchers explained that in Dridex v4, the malware authors \u201cused the AtomBombing technique for the writing of the payload, then used a different method to achieve execution permissions, and for the execution itself.\u201d<\/p>\n<p>The upgraded malware uses Windows\u2019 atom table to load malicious code into the read-write-execute (RWX) memory, but avoids suspicious calls to Windows API functions to avoid AtomBombing detection. The changes in the code injection method \u201callow Dridex to propagate in the infected endpoint with minimal calls to marked API functions.\u201d<\/p>\n<p>The addition of AtomBombing to Dridex was not the only change. The naming algorithm was modified to better prevent detection and the malware\u2019s \u201cinvisible\u201d persistence mechanism was abandoned in favor of a DLL-hijacking technique. The malware authors also \u201csignificantly upgraded the cryptographic protection for the configuration.\u201d Better encryption means attackers will be able to better protect details about attacks and targeted bank URLs that are in the configuration.<\/p>\n<p>\u201cIt is not surprising to see a new major version released from this gang\u2019s developers,\u201d X-Force wrote. \u201cThe release of a major version upgrade is a big deal for any software, and the same goes for malware. The significance of this upgrade is that Dridex continues to evolve in sophistication, investing in further efforts to evade security and enhance its capabilities to enable financial fraud.\u201d<\/p>\n<p><strong>In UK, but coming to US bank near you soon?<\/strong><\/p>\n<p>Right now, Dridex v4 is being used in campaigns which target UK banks; at some point, it is highly likely that US banks will also end up being targeted.<\/p>\n<p>IBM X-Force concluded:<\/p>\n<p>The adoption of a new injection technique shortly after its discovery demonstrates Dridex\u2019s efforts to keep up with the times and the evolution of security controls. Although they relied on a publicized method, Dridex\u2019s developers created their own version of it, a choice that is consistent with their usual preference to write proprietary code schemes for Dridex, as they did for its binary configuration format, for example.<\/p>\n<p><a href=\"http:\/\/www.computerworld.com\/article\/3175092\/security\/dridex-first-banking-trojan-with-atombombing-to-better-evade-detection.html#tk.rss_security\" target=\"bwo\" >http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"http:\/\/zapt3.staticworld.net\/images\/article\/2015\/09\/malware-threat-hack-hacked-bug-cyberthreat-100613859-primary.idge.jpg\"\/><\/p>\n<p><strong>Credit to Author: Darlene Storm| Date: Wed, 01 Mar 2017 07:38:00 -0800<\/strong><\/p>\n<article>\n<section class=\"page\">\n<p>The Dridex Trojan, one of the most destructive banking Trojans, has been upgraded with a new injection method so the malware is even better at evading detection.<\/p>\n<p>The newest version of Dridex, v4, is now the first banking Trojan to take advantage of AtomBombing, according to <a href=\"https:\/\/securityintelligence.com\/dridexs-cold-war-enter-atombombing\/\" target=\"_blank\">report<\/a> by IBM X-Force. Unlike some of the more common code injection techniques, AtomBombing is meant to evade security solutions. Once one organized cybercrime gang successfully pulls off a slick trick, other cyber thugs are expected to adopt the method.<\/p>\n<p>\u201cIn this release,\u201d the researchers wrote, \u201cwe noted that special attention was given to dodging antivirus (AV) products and hindering research by adopting a series of enhanced anti-research and anti-AV capabilities.\u201d<\/p>\n<p class=\"jumpTag\"><a href=\"\/article\/3175092\/security\/dridex-first-banking-trojan-with-atombombing-to-better-evade-detection.html#jump\">To read this article in full or to leave a comment, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[11072,11073,714],"class_list":["post-6820","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-cybercrime-hacking","tag-malware-vulnerabilities","tag-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6820","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=6820"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6820\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=6820"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=6820"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=6820"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}