“Over the long reign of Dridex v3, we have seen some significant changes implemented into the malware’s operations, such as modified anti-research techniques, redirection attacks and fraudulent M.O. changes. It is not surprising to see a new major version released from this gang’s developers,” according to an X-Force report on Dridex v4 released Tuesday.
As with previous campaigns, Dridex exhibits typical behavior of monitoring a victim’s traffic to bank sites and stealing login and account information. The biggest change is tied to Dridex v4’s code injection method. Code injection, researchers point out, is one of the most closely monitored processes by antivirus and other security solutions. Current injection techniques by previous versions of Dridex have become too common and easy to spot, they said. That’s forced cyber gangs to leverage AtomBombing in a new version of Dridex.
AtomBombing is a different approach to code injection that doesn’t rely on easy-to-spot API calls used by previous versions of Dridex. The AtomBombing technique, first spotted in October 2016 by enSilo researchers, allows Dridex v4 to inject code sans the aforementioned API calls.
“AtomBombing makes use of Windows’ atom tables and the native API NtQueueApcThread to copy a payload into a read-write memory space in the target process,” according to the report authors. “It then uses NtSetContextThread to invoke a simple return-oriented programming chain that allocates read/write/execute memory, copies the payload into it and executes it. Finally, it restores the original context of the hijacked thread.”
Atom tables are a function of the Windows operating system that allows applications to store and access temporary data and to share data between applications. An attacker can write malicious code into an atom table and force a legitimate program to retrieve it from the table, researchers describe.
What makes Dridex v4 different from other AtomBombing attacks is that attackers only use “the technique for writing the payload, then used a different method to achieve execution permissions, and for the execution itself,” according to co-authors of the X-Force report Magal Baz and Or Safran.
Where Dridex v4 differs is at the tail end of the AtomBombing technique where “Dridex simply calls NtProtectVirtualMemory from the injecting process to change the memory where the payload is already written into the read/write/execute (memory).” That cues up Dridex to use the Windows asynchronous procedure to call GlobalGetAtomA, which executes the payload, X-Force said.
“The last stage is the execution of the payload. To avoid calling CreateRemoteThread, Dridex again uses APC. Using an APC call to the payload itself would be very suspicious,” said researchers. Alternatively, Dridex v4 uses “the same GlobalGetAtomW method to patch GlobalGetAtomA, hooking it to execute the payload.”
X-Force said this specific implementation of AtomBombing is a first of its kind in the context of banking Trojans and designed to cloak the malware’s activities.
Other enhancements to Dridex v4 include a modified naming algorithm, enhanced encryption for its configuration and an updated persistence mechanism.
“The changes to Dridex’s code injection method are among the most significant enhancements in v4,” wrote researchers. “The adoption of a new injection technique shortly after its discovery demonstrates Dridex’s efforts to keep up with the times and the evolution of security controls.”
Over the years, cybercrimnals behind the different versions of the Dridex Trojan have been extremely persistent. While campaigns have fluctuated in volume, innovation into the malware has been consistent. In January, researchers at Flashpoint said they spotted a new variant of the Dridex Trojan with a technique that can bypass Windows User Account Control (UAC). In 2015, an older version of Dridex started using an evasion detection technique called AutoClose that involved phishing messages that contained macros-based attacks that did not execute until the malicious document was closed.