First Malware Family ” Dridex ” Banking Trojan integrate with Atom-Bombing Technique

1

IBM security Discovered a Malware family called  ” Dridex’s ”  with samples of version 4.0 of the infamous fully integrate Dangerous Auto Bombing banking trojan (Dridex v4).

Dridex v4 Reported as the only Trojan has encountered to use Atom-bombing . IBM X-Force said it is already in use in active campaigns against U.K. banks .

But majoy thing should be take necessary stop will be taken before hacking taking over other countries banking sector.

Dridex’s author’s additionally took a shot at a noteworthy move up to the malware’s setup encryption.

This update incorporates executing an adjusted naming calculation, a hearty yet simple to-spot persistence mechanism and a couple of extra improvements.

Earlier version is 2 year’s old

Dridex v1 launched in late 2014.Current version as binary codes ,configuration files Development takes 2 year to embedded very critical atom-bombing Technique.

As indicated by specialists, the trojan’s source code got such a large number of updates that it went from a keeping money trojan that depended on webinjects to utilizing redirection assaults, two altogether different methods.

Dridex v2 was as short-lived as v1, and only survived until April 2015, when it was replaced by Dridex v3.

According to an X-Force report on Dridex v4 released ,

“Over the long reign of Dridex v3, we have seen some significant changes implemented into the malware’s operations, such as modified anti-research techniques, redirection attacks and fraudulent M.O. changes. It is not surprising to see a new major version released from this gang’s developers,”

A Major Version seems very hard to Detect

IBM X-Force said, Dridex’s code is based on that of the Bugat Trojan, which was first discovered in early 2010. Bugat has since evolved into a number of different variations, including Cridex and Feodo. The Dridex form first appeared in 2014.

According to the IBM ,Dridex’s build numbers are found inside its configuration and in the binary’s code.

                                     Dridex’s code version hard-coded into the binary

What makes Dridex v4 different from other AtomBombing attacks is that attackers only use “the technique for writing the payload, then used a different method to achieve execution permissions, and for the execution itself,” according to co-authors of the X-Force report Magal Baz and Or Safran.

As indicated by IBM Researchers, for Dridex v4, the malware’s makers kept the greater part of similar advancements from late v3 forms, depending on redirection assaults to block client activity, and divert victims to a clone of the genuine saving money entryway utilizing a privately introduced intermediary server.

hVNC became an integral factor later on, however just if the assailants unearthed casualties with valuable information and required RAT-like access to contaminated hosts.

Dridex switches to novel AtomBombing technique


This new and to some degree earth shattering code infusion strategy is called AtomBombing. In an exceptionally basic clarification, the strategy depends on putting away pernicious pieces of code inside molecule tables.

Molecule tables are particular to the Windows OS and permit applications to store the name of a string and a related esteem.

Molecule tables act as reserves for normally utilized strings and sections can be gotten to by all applications, not only the ones that made the information.

Dridex v4 has dropped this procedure infusion instrument that depended on a couple intensily-watched Windows API calls. As indicated by IBM, Dridex v4 now utilizes a system found by enSilo scientists in late October 2016.

enSilo Researcher’s found that aggressors could store malignant code in these particle tables and after that conjure them without utilizing the same ol’ Windows API calls.

For More Technical Details : securityintelligence

Also Read :

1 COMMENT

Leave a Reply