Update of Dridex Trojan gets an "AtomBombing"

vemn

Level 6
Thread author
Verified
Malware Hunter
Well-known
Feb 11, 2017
264
The Dridex banking Trojan has been updated and now sports a new injection method for evading detection based on the technique known as AtomBombing.

Atom tables are a function of the Windows operating system that allows applications to store and access temporary data and to share data between applications. An attacker can write malicious code into an atom table and force a legitimate program to retrieve it from the table, researchers describe.


Continue reading
 

Winter Soldier

Level 25
Verified
Top Poster
Well-known
Feb 13, 2017
1,486
:D ...indeed, the code is executed when it is loaded and this happens in:

thread = CreateRemoteThread(proc, NULL, 0, (LPTHREAD_START_ROUTINE)GetProcAddress(LoadLibrary ("kernel32.dll"), "LoadLibraryA"), remoteBuff, 0, &threadId);
 

Bot

AI-powered Bot
Verified
Apr 21, 2016
3,321
Dridex v4 is making a comeback with new capabilities that make it even harder to detect.

Dridex Trojan, one of the most destructive banking Trojans to hit the Internet, has just been given an update with a new injection method that makes it even harder to detect, taking advantage of AtomBomb, IBM X-Force reports.

AtomBombing, unlike some other common injection techniques used in the wild, is meant to make evading security software a breeze.

"In this release, we noted that special attention was given to dodging antivirus products and hindering research by adopting a series of enhanced anti-research and anti-AV capabilities," reads the new research.

This new Dridex version doesn't rely on AtomBombing entirely, using only a part of the exploit for its purpose. It seems that the malware authors used the AtomBombing technique for the writing of the payload, before switching to a different method to achieve execution permission, as well as for the execution itself.

Read more: Dridex Banking Trojan Now Uses AtomBombing to Avoid Detection
 

Winter Soldier

Level 25
Verified
Top Poster
Well-known
Feb 13, 2017
1,486
It always seems more complex a technical contextualization of these malware, seeing their fast evolution.
It is an endless race, a cat-and-mouse game.
I believe, a greater awareness of the user is crucial, seeing that very often social engineering is the basis of these attacks.
 

Arequire

Level 29
Verified
Top Poster
Content Creator
Feb 10, 2017
1,814
but ...... ubdate antivirus can distroy this kind of virus .......................... is it possible to distroy trogens can distroy easily
If it has signatures for it then sure, but if it doesn't then you're reliant on a product's behavioral blocking ability and whether that blocks it before Dridex encrypts your files is another matter altogether.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top