New Dridex 4 Banking Malware With AtomBombing Code Injection is Expected to be Used Against U.S. Banks
A new version of the Dridex banking malware has been detected targeting European banks, and is expected to be used against U.S. financial institutions in the coming months. Dridex 4 incorporates the usual range of software improvements that we have come to expect from professionally maintained malware -- but it is also the first major malware to have adopted the new code injection technique known as 'AtomBombing'.
AtomBombing was described by researchers at enSilo in October 2016. It is so named because of its use of Windows' atom tables -- read/writable stores of data that can be used by multiple applications. Malicious code can be written to the atom tables, and then retrieved and injected into executable memory space.
This process does not require any exploit against Windows since it makes use of a feature provided by Windows. Ultimately, it is simply a new code injection technique likely to by-pass existing AV and NGAV detections.
Dridex 4 was discovered by IBM X-Force in early February. Interestingly, it doesn't implement AtomBombing exactly as described by enSilo. "In our analysis of the new Dridex v4 release," says IBM, "we discovered that the malware's authors have devised their own injection method, using the first step of the AtomBombing technique. They use the atom tables and NtQueueAPCThread to copy a payload and an import table into a RW memory space in the target process. But they only went halfway - they used the AtomBombing technique for the writing of the payload, then used a different method to achieve execution permissions, and for the execution itself."
Since enSilo's original description of the technique, malware defenders will have been developing means to detect it. Dridex 4 hopes to bypass these current detections by using a modified method of AtomBombing. "Malware writers modify their software frequently as part of the cat-and-mouse game played between attackers and defenders," explains F-Secure's Andy Patel. "It doesn't surprise me that the authors of Dridex pulled enSilo's research into their new version so rapidly -- it's a perfect application for that hooking technique. What's even more interesting is that they modified it themselves, thus avoiding any detection techniques that might have been pre-emptively created based on enSilo's findings."
In other words, Dridex 4 was a threat only for so long as it remained undetected. Now that it has been detected and analyzed by IBM, users with fully maintained mainstream anti-malware defenses will rapidly be protected -- until the next new technique. "Defenders will now modify their detection approaches to catch the new techniques found in Dridex, and the cycle will continue," explains Patel.
This disinclination to describe Dridex and AtomBombing as a dangerous new game-changer is echoed by Luis Corrons, technical director at PandaLabs. "The way the attack is performed to inject code is new, although... malware has used malware injection techniques for a long time, for instance you can see that in many ransomware families." It is, he said, "just another technique to be used by malware once it is already in the victim's computer. It is easy to implement, so we'll see it in some other malware attacks; however, from my personal opinion it is not something we have to worry about."
It should be noted that the enSilo researcher who discovered AtomBombing, Tal Lieberman, is not convinced that the Dridex method is purely for evasion. "This adaptation actually simplifies the technique we described. Most likely, the malware authors decided to forego sophistication as they believed that their version is stealthy enough also without increased evasion measures."
Although Dridex is not 'non-malware', it is still "part of the growing trend towards fileless malware," he added, "as that allows the malware to protect itself from the prying eyes of security researchers. The reason is that an executable, once caught by a security solution, is uploaded to the cloud for analysis by security vendors and other security researchers."
The primary threat from Dridex 4 consequently occurred while it was still unknown. The authors knew this, and included improvements to its anti-research and anti-AV capabilities. "In this release," comment the IBM researchers, "we noted that special attention was given to dodging antivirus (AV) products and hindering research by adopting a series of enhanced anti-research and anti-AV capabilities."
Two upgrades given special note by IBM include enhanced encryption, and an updated persistence mechanism. Firstly, it uses a modified naming algorithm. "In the new version, while the same variables are still being used to generate [MD5] hashes, the sequence has changed to shuffle things around and prevent detection by automated checks."
Secondly, Dridex 4 has similarly modified its configuration file encryption. "Overall, Dridex continues to use the same multilayered approach it used in v3 variants, but it has changed and enhanced the encryption while still relying heavily on the RC4 cipher."
The persistence mechanism has been changed. Earlier versions used 'invisibility'. The DLL would only get written to disk with a registry value at shutdown. The new version has adopted a "robustness-over-stealth approach for its persistence mechanism." An executable is now copied, explains IBM, "from system32 into a different directory and Dridex's DLL is placed in that same directory. The malicious DLL mimics a legitimate DLL that's loaded by the executable."
Overall, perhaps the greatest significance of Dridex 4 is not the inclusion of AtomBombing per se, but the speed with which new techniques are incorporated into major malware. It seems that Andy Patel is somewhat surprised that it happened at all. "As for banking trojans in general, we were assuming they'd continue to lose marketshare as banks improved their back end anti-fraud algorithms."