Update of Dridex Trojan gets an "AtomBombing"

vemn

vemn

Level 6
Thread author
Verified
Malware Hunter
Well-known
Feb 11, 2017
264
The Dridex banking Trojan has been updated and now sports a new injection method for evading detection based on the technique known as AtomBombing.

Atom tables are a function of the Windows operating system that allows applications to store and access temporary data and to share data between applications. An attacker can write malicious code into an atom table and force a legitimate program to retrieve it from the table, researchers describe.


Continue reading
 
  • Like
Reactions: Solarquest, Der.Reisende, harlan4096 and 1 other person
Winter Soldier

Winter Soldier

Level 25
Verified
Top Poster
Well-known
Feb 13, 2017
1,486
:D ...indeed, the code is executed when it is loaded and this happens in:

thread = CreateRemoteThread(proc, NULL, 0, (LPTHREAD_START_ROUTINE)GetProcAddress(LoadLibrary ("kernel32.dll"), "LoadLibraryA"), remoteBuff, 0, &threadId);
 
  • Like
Reactions: Der.Reisende and vemn
Bot

Bot

AI-powered Bot
Apr 21, 2016
4,371
Dridex v4 is making a comeback with new capabilities that make it even harder to detect.

Dridex Trojan, one of the most destructive banking Trojans to hit the Internet, has just been given an update with a new injection method that makes it even harder to detect, taking advantage of AtomBomb, IBM X-Force reports.

AtomBombing, unlike some other common injection techniques used in the wild, is meant to make evading security software a breeze.

"In this release, we noted that special attention was given to dodging antivirus products and hindering research by adopting a series of enhanced anti-research and anti-AV capabilities," reads the new research.

This new Dridex version doesn't rely on AtomBombing entirely, using only a part of the exploit for its purpose. It seems that the malware authors used the AtomBombing technique for the writing of the payload, before switching to a different method to achieve execution permission, as well as for the execution itself.

Read more: Dridex Banking Trojan Now Uses AtomBombing to Avoid Detection
 
  • Like
Reactions: Der.Reisende, harlan4096, askmark and 2 others
Winter Soldier

Winter Soldier

Level 25
Verified
Top Poster
Well-known
Feb 13, 2017
1,486
It always seems more complex a technical contextualization of these malware, seeing their fast evolution.
It is an endless race, a cat-and-mouse game.
I believe, a greater awareness of the user is crucial, seeing that very often social engineering is the basis of these attacks.
 
  • Like
Reactions: vemn, Der.Reisende and askmark
A

Arequire

Level 29
Verified
Top Poster
Content Creator
Feb 10, 2017
1,822
cibin said:
but ...... ubdate antivirus can distroy this kind of virus .......................... is it possible to distroy trogens can distroy easily
Click to expand...
If it has signatures for it then sure, but if it doesn't then you're reliant on a product's behavioral blocking ability and whether that blocks it before Dridex encrypts your files is another matter altogether.
 
  • Like
Reactions: vemn and Der.Reisende
You must log in or register to reply here.

Similar threads

silversurfer
    • Like
    • +Reputation
    • Applause
Dridex Malware Now Attacking macOS Systems with Novel Infection Method
Replies
0
Views
746
News Archive
silversurfer
silversurfer
Gandalf_The_Grey
    • Like
    • Hundred Points
Malware News Malware September 2024: Formbook on Windows devices
Replies
0
Views
792
Security News
Gandalf_The_Grey
Gandalf_The_Grey
Gandalf_The_Grey
    • Like
    • Wow
    • +Reputation
Malware News Over 200 malicious apps on Google Play downloaded millions of times
Replies
1
Views
1,183
Security News
Digmor Crusher
Digmor Crusher

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top