Connect with us

Hi, what are you looking for?



New Malware Will Soon Start “AtomBombing” U.S. Banks

New Dridex 4 Banking Malware With AtomBombing Code Injection is Expected to be Used Against U.S. Banks 

New Dridex 4 Banking Malware With AtomBombing Code Injection is Expected to be Used Against U.S. Banks 

A new version of the Dridex banking malware has been detected targeting European banks, and is expected to be used against U.S. financial institutions in the coming months. Dridex 4 incorporates the usual range of software improvements that we have come to expect from professionally maintained malware — but it is also the first major malware to have adopted the new code injection technique known as ‘AtomBombing’.

AtomBombing was described by researchers at enSilo in October 2016. It is so named because of its use of Windows’ atom tables — read/writable stores of data that can be used by multiple applications. Malicious code can be written to the atom tables, and then retrieved and injected into executable memory space.

This process does not require any exploit against Windows since it makes use of a feature provided by Windows. Ultimately, it is simply a new code injection technique likely to by-pass existing AV and NGAV detections.

Dridex 4 was discovered by IBM X-Force in early February. Interestingly, it doesn’t implement AtomBombing exactly as described by enSilo. “In our analysis of the new Dridex v4 release,” says IBM, “we discovered that the malware’s authors have devised their own injection method, using the first step of the AtomBombing technique. They use the atom tables and NtQueueAPCThread to copy a payload and an import table into a RW memory space in the target process. But they only went halfway – they used the AtomBombing technique for the writing of the payload, then used a different method to achieve execution permissions, and for the execution itself.”

Since enSilo’s original description of the technique, malware defenders will have been developing means to detect it. Dridex 4 hopes to bypass these current detections by using a modified method of AtomBombing. “Malware writers modify their software frequently as part of the cat-and-mouse game played between attackers and defenders,” explains F-Secure’s Andy Patel. “It doesn’t surprise me that the authors of Dridex pulled enSilo’s research into their new version so rapidly — it’s a perfect application for that hooking technique. What’s even more interesting is that they modified it themselves, thus avoiding any detection techniques that might have been pre-emptively created based on enSilo’s findings.”

In other words, Dridex 4 was a threat only for so long as it remained undetected. Now that it has been detected and analyzed by IBM, users with fully maintained mainstream anti-malware defenses will rapidly be protected — until the next new technique. “Defenders will now modify their detection approaches to catch the new techniques found in Dridex, and the cycle will continue,” explains Patel.

Advertisement. Scroll to continue reading.

This disinclination to describe Dridex and AtomBombing as a dangerous new game-changer is echoed by Luis Corrons, technical director at PandaLabs. “The way the attack is performed to inject code is new, although… malware has used malware injection techniques for a long time, for instance you can see that in many ransomware families.” It is, he said, “just another technique to be used by malware once it is already in the victim’s computer. It is easy to implement, so we’ll see it in some other malware attacks; however, from my personal opinion it is not something we have to worry about.”

It should be noted that the enSilo researcher who discovered AtomBombing, Tal Lieberman, is not convinced that the Dridex method is purely for evasion. “This adaptation actually simplifies the technique we described. Most likely, the malware authors decided to forego sophistication as they believed that their version is stealthy enough also without increased evasion measures.”

Although Dridex is not ‘non-malware‘, it is still “part of the growing trend towards fileless malware,” he added, “as that allows the malware to protect itself from the prying eyes of security researchers. The reason is that an executable, once caught by a security solution, is uploaded to the cloud for analysis by security vendors and other security researchers.”

The primary threat from Dridex 4 consequently occurred while it was still unknown. The authors knew this, and included improvements to its anti-research and anti-AV capabilities. “In this release,” comment the IBM researchers, “we noted that special attention was given to dodging antivirus (AV) products and hindering research by adopting a series of enhanced anti-research and anti-AV capabilities.”

Two upgrades given special note by IBM include enhanced encryption, and an updated persistence mechanism. Firstly, it uses a modified naming algorithm. “In the new version, while the same variables are still being used to generate [MD5] hashes, the sequence has changed to shuffle things around and prevent detection by automated checks.”

Secondly, Dridex 4 has similarly modified its configuration file encryption. “Overall, Dridex continues to use the same multilayered approach it used in v3 variants, but it has changed and enhanced the encryption while still relying heavily on the RC4 cipher.”

The persistence mechanism has been changed. Earlier versions used ‘invisibility’. The DLL would only get written to disk with a registry value at shutdown. The new version has adopted a “robustness-over-stealth approach for its persistence mechanism.” An executable is now copied, explains IBM, “from system32 into a different directory and Dridex’s DLL is placed in that same directory. The malicious DLL mimics a legitimate DLL that’s loaded by the executable.”

Overall, perhaps the greatest significance of Dridex 4 is not the inclusion of AtomBombing per se, but the speed with which new techniques are incorporated into major malware. It seems that Andy Patel is somewhat surprised that it happened at all. “As for banking trojans in general, we were assuming they’d continue to lose marketshare as banks improved their back end anti-fraud algorithms.”

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...