Dridex, one of the worst banking Trojans to ever enter the financial malware scene, is back once again, and is in a better shape than before. New capabilities have been added to Dridex v4 which make it even more impossible to detect and counter.
The discovery of Dridex’s code update and comeback belongs to researchers from IBM X-Force. The new feature in question is called AtomBombing and is an advanced injection technique that serves to evade security software in quite a subtle manner.
Dridex Plus AtomBombing Equals Worse Attacks
The research team came across Dridex v4 several weeks ago, and that’s when the innovative injection technique was uncovered. It is based on a technique known as AtomBombing, which was first discovered by enSilo researchers in October last year.
The latest version of the malware doesn’t fully depend on AtomBombing, as it only uses a small part of the exploit for the final purpose. What appears to be the case is that the malicious coders employed the AtomBombing technique for the writing of the payload, and then turned to a different technique to achieve execution permission.
In addition, Dridex is the only banking Trojan to employ AtomBombing, making it even more sophisticated and threating. The addition of this technique only means that other organized cybercrime gangs will also start adopting the methodology, leading to a series of upcoming dreadful attacks.
Even worse, this is not the only improvement. A major upgrade has been done to the Trojan’s configuration encryption. The change implements a modified naming algorithm, “a robust but easy-to-spot persistence mechanism and a few additional enhancements”, as explained by the research team.
Dridex v4 Already Making Rounds in the Wild
IBM Security detection indicates that the nefarious banker is already out and about, and is being spread in active campaigns primarily against banks in the UK.