14 DAY TRIAL // Dridex v4 is making a comeback with new capabilities that make it even harder to detect.
Dridex Trojan, one of the most destructive banking Trojans to hit the Internet, has just been given an update with a new injection method that makes it even harder to detect, taking advantage of AtomBomb, IBM X-Force reports.
AtomBombing, unlike some other common injection techniques used in the wild, is meant to make evading security software a breeze.
"In this release, we noted that special attention was given to dodging antivirus products and hindering research by adopting a series of enhanced anti-research and anti-AV capabilities," reads the new research.
This new Dridex version doesn't rely on AtomBombing entirely, using only a part of the exploit for its purpose. It seems that the malware authors used the AtomBombing technique for the writing of the payload, before switching to a different method to achieve execution permission, as well as for the execution itself.
More changes to Dridex
The addition of AtomBomb wasn't the only change to Dridex. In fact, developers also worked on a major upgrade to the way encryption is configured. The upgrade includes implementing a modified naming algorithm, a new persistence mechanism and a few additional enhancements.
This new update isn't necessarily surprising for researchers. "The release of a major version upgrade is a big deal for any software, and the same goes for malware. The significance of this upgrade is that Dridex continues to evolve in sophistication, investing in further efforts to evade security and enhance its capabilities to enable financial fraud," X-Force writes.
The new Dridex v4 is currently being used against British banks, and estimates indicate that the attacks may sometime soon move towards the United States.
AtomBombing was first spotted by enSilo back in October when the security firm warned that attackers were using Windows' atom tables, which made the code injection technique affect all version of Windows. It works by using code injections to add malicious code into legitimate processes, which makes the malware harder to detect by security products.