Dridex Trojan, which has been placed among the most dangerous banking Trojans lately, has just been updated. Taking the advantage of AtomBombing, the new update makes Dridex even harder to detect.
Unlike some other injection methods, AtomBombing is meant to make evading security software a breeze.
“In this release, we noted that special attention was given to dodging antivirus products and hindering research by adopting a series of enhanced anti-research and anti-AV capabilities,” the latest research states.
Actually, the new version of Dridex doesn’t rely on AtomBombing entirely, and it uses just one part of the exploit.
Most probably, the creators of Dridex malware have used the AtomBombing technique for the writing of payload, before switching to a different method for achieving execution permission, as well as for the execution itself.
In fact, the addition of AtomBomb wasn’t the only change to the banking trojan. The malware developers also worked on a major upgrade to the way encryption is configured. The latest upgrade features implementing a modified naming algorithm, a new persistence mechanism, as well as some additional enhancements.
The latest update did not surprise the experts that much. “The release of a major version upgrade is a big deal for any software, and the same goes for malware. The significance of this upgrade is that Dridex continues to evolve in sophistication, investing in further efforts to evade security and enhance its capabilities to enable financial fraud,” IBM X-Force says.
Currently, the new Dridex v4 is being used against British banks, however, there are some indications that soon the attacks may move towards USA.
AtomBombing was first noticed in October, last year. At that time, the security company enSilo warned that hackers were using Windows’ atom tables, which made the code injection technique affect all Windows versions.
AtomBombing uses injections to add malicious code into legitimate processes, making the malware harder to detect.
