Dridex Evolves and Incorporates Atombombing

Written By Danielle Pucciarella-Galkova

In 2014, the Dridex Trojan appeared on the scene when an onslaught of spam emails containing infected macro-enabled attachments were sent to unsuspecting users throughout the UK. An evolved version of ZeuS, Dridex’s primary focus at the time was to steal banking credentials. If the attachment in the malicious email was executed, Dridex would monitor users accessing banking informations through keylogging, site injections, and even screenshots—with successfully stolen data often sent to and sold on dark web marketplaces.

By 2015, Dridex had gone international and was also targeting credentials for corporate networks in order gain access to internal systems and steal confidential information. And last year, Dridex began to both target Bitcoin wallets and was also linked to Cerber ransomware attacks.

This year it has evolved even further, with a new code-injection capability that exploits Windows atom tables. Atom tables are used to link data strings and their complementary identifiers. This new capability, known as AtomBombing, deceives healthy applications or processes into retrieving the malicious code from the atom table and then executing it. 

And here’s the clincher, currently security researchers see no fix in sight, as AtomBombing functions more organically within Windows than typical malware. It doesn’t build upon on defective code, it instead assimilates itself into the atom tables’ core functionality, which makes this difficult, if not impossible to patch. 

Dridex implements some features from AtomBombing in order to more easily go undetected, circumvents antivirus and malware prevention software, and executes payloads. Avoiding typical techniques that might flag these solutions, such API calls, allow for this version of Dridex to draw less attention to itself and work more effectively. 

Antivirus companies are currently working towards detection mechanisms for the newest version of Dridex. It is always recommended that users practice good security hygiene, verify the source from which an email was sent, avoid clicking links or downloading attachments that come from unknown sources, and regularly maintain system and software updates and patches. 

Learn More:
https://www.webopedia.com/TERM/D/dridex-malware.html
https://www.securityweek.com/atombombing-windows-vulnerability-cannot-be-patched
https://securityintelligence.com/dridexs-cold-war-enter-atombombing

Danielle Pucciarella-Galkova
Previous

WPS is Still Problematic
Next

BLUEJACKING