Wednesday, September 18, 2024
HomeMalwareFirst Malware Family " Dridex " Banking Trojan integrate with Atom-Bombing...

First Malware Family ” Dridex ” Banking Trojan integrate with Atom-Bombing Technique

Published on

IBM security Discovered a Malware family called  ” Dridex’s ”  with samples of version 4.0 of the infamous fully integrate Dangerous Auto Bombing banking trojan (Dridex v4).

Dridex v4 Reported as the only Trojan has encountered to use Atom-bombing . IBM X-Force said it is already in use in active campaigns against U.K. banks .

But majoy thing should be take necessary stop will be taken before hacking taking over other countries banking sector.

- Advertisement - EHA

Dridex’s author’s additionally took a shot at a noteworthy move up to the malware’s setup encryption.

This update incorporates executing an adjusted naming calculation, a hearty yet simple to-spot persistence mechanism and a couple of extra improvements.

Earlier version is 2 year’s old

Dridex v1 launched in late 2014.Current version as binary codes ,configuration files Development takes 2 year to embedded very critical atom-bombing Technique.

As indicated by specialists, the trojan’s source code got such a large number of updates that it went from a keeping money trojan that depended on webinjects to utilizing redirection assaults, two altogether different methods.

Dridex v2 was as short-lived as v1, and only survived until April 2015, when it was replaced by Dridex v3.

According to an X-Force report on Dridex v4 released ,

“Over the long reign of Dridex v3, we have seen some significant changes implemented into the malware’s operations, such as modified anti-research techniques, redirection attacks and fraudulent M.O. changes. It is not surprising to see a new major version released from this gang’s developers,”

A Major Version seems very hard to Detect

IBM X-Force said, Dridex’s code is based on that of the Bugat Trojan, which was first discovered in early 2010. Bugat has since evolved into a number of different variations, including Cridex and Feodo. The Dridex form first appeared in 2014.

According to the IBM ,Dridex’s build numbers are found inside its configuration and in the binary’s code.

                                     Dridex’s code version hard-coded into the binary

What makes Dridex v4 different from other AtomBombing attacks is that attackers only use “the technique for writing the payload, then used a different method to achieve execution permissions, and for the execution itself,” according to co-authors of the X-Force report Magal Baz and Or Safran.

As indicated by IBM Researchers, for Dridex v4, the malware’s makers kept the greater part of similar advancements from late v3 forms, depending on redirection assaults to block client activity, and divert victims to a clone of the genuine saving money entryway utilizing a privately introduced intermediary server.

hVNC became an integral factor later on, however just if the assailants unearthed casualties with valuable information and required RAT-like access to contaminated hosts.

Dridex switches to novel AtomBombing technique


This new and to some degree earth shattering code infusion strategy is called AtomBombing. In an exceptionally basic clarification, the strategy depends on putting away pernicious pieces of code inside molecule tables.

Molecule tables are particular to the Windows OS and permit applications to store the name of a string and a related esteem.

Molecule tables act as reserves for normally utilized strings and sections can be gotten to by all applications, not only the ones that made the information.

Dridex v4 has dropped this procedure infusion instrument that depended on a couple intensily-watched Windows API calls. As indicated by IBM, Dridex v4 now utilizes a system found by enSilo scientists in late October 2016.

enSilo Researcher’s found that aggressors could store malignant code in these particle tables and after that conjure them without utilizing the same ol’ Windows API calls.

For More Technical Details : securityintelligence

Also Read :

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Microsoft Windows Kernel Vulnerability Exploited in the Wild

Microsoft has confirmed the exploitation of a Windows Kernel vulnerability, identified as CVE-2024-37985, in...

Discord Announces End-to-End Encryption for Audio & Video Chats

Discord has introduced end-to-end encryption (E2EE) for audio and video chats.Known as the...

Threat Actor Allegedly Selling Bharat Petroleum Database

A threat actor has allegedly put up for sale a database belonging to Bharat...

Chrome 129 Released with Fix for Multiple Security Vulnerabilities

The Chrome team has officially announced the release of Chrome 129, which is now...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Hackers Exploiting Selenium Grid Tool To Deploy Exploit Kit & Proxyjacker

Two campaigns targeting Selenium Grid's default lack of authentication are underway, as threat actors...

North Korean Hackers Attacking LinkedIn Users to Deliver RustDoor Malware

North Korean hackers have been identified as targeting LinkedIn users to deliver sophisticated malware...

Crimson Palace Returns With New Hacking Tolls And Tactics

Cluster Bravo, despite its brief initial activity, subsequently targeted 11 organizations in the same...