Dridex Banking Trojan Gains ‘AtomBombing’ Code Injection Ability to Evade Detection

March 1, 2017

Security researchers have discovered a new variant of Dridex – one of the most nefarious banking Trojans actively targeting financial sector – with a new, sophisticated code injection technique and evasive capabilities called “AtomBombing.”

On Tuesday, Magal Baz, security researcher at Trusteer IBM disclosed new research, exposing the new Dridex version 4, which is the latest version of the infamous financial Trojan and its new capabilities.

Dridex is one of the most well-known Trojans that exhibits the typical behavior of monitoring a victim’s traffic to bank sites by infiltrating victim PCs using macros embedded in Microsoft documents or via web injection attacks and then stealing online banking credentials and financial data.

However, by including AtomBombing capabilities, Dridex becomes the first ever malware sample to utilize such sophisticated code injection technique to evade detection.

What is “AtomBombing” Technique?

Code injection techniques by previous versions of Dridex Trojan have become too common and easy to spot by antivirus and other security solutions.

But since the AtomBombing technique is a different approach to code injection that does not rely on easy-to-detect API calls used by old Dridex versions, leveraging AtomBombing in the latest Dridex version made it difficult for antiviruses to detect.

Initially spotted in October by Tal Liberman from enSilo security firm, AtomBombing is a code injection technique that could allow attackers to inject malicious code on every version of Microsoft’s Windows OS, even Windows 10, in a manner that no existing anti-malware tools can detect.

AtomBombing does not exploit any vulnerability but abuses the system-level Atom Tables, a feature of Windows that allows applications to store information on strings, objects, and other types of data to access on a regular basis.

Read full story…