Atom Bombing (AB) is a code injection technique first discovered by security researchers in 2016. AB works on all versions of Windows and is undetectable by most current security solutions. The actors behind the banking trojan Dridex implemented AB almost immediately after it was released in open source. This report examines the AB technique and its use by the authors of Dridex.
Atom Bombing works by manipulating atom tables. An atom table is a system-defined table that stores strings and corresponding identifiers. There are two kinds of atom tables found in Windows OS and AB works by utilizing the global atom table.
- Local atom table – accessible to a single process – managed by user mode.
- Global atom table – accessible across processes – managed by the kernel.
The technique uses the following API calls:
- GlobalAddAtom – Adds a string to the global atom table and returns a unique 16-bit integer identifying the string.
- GlobalGetAtomName – Retrieves a copy of the string associated with the specified global atom.
Calling GlobalAddAtom, an attacker can store a null terminated buffer in the global atom table which is accessible from other processes on the host system. By calling GlobalGetAtom the buffer contents are retrieved. Using this system an attacker could store a string containing shell code in the atom table, which could then be called with the corresponding 16-bit integer.
Dridex is perhaps one of the most sophisticated banking trojans in the wild to date. The authors keep Dridex relevant through continuous development with new versions appearing every year. The authors behind Dridex are also responsible for the creation of some of the largest botnets to date; like Gameover Zeus and Necurs, and the creation of a new Ransomware variant known as Bitpaymer / FriedEx.
Dridex is the first malware family to incorporate Atom Bombing. The Twitter account DridexBot used by the actors acknowledges they started using this technique after the original POC was released. The tweets below show the Dridex authors mocking security researchers for taking so long to realize they were using AB.
The DridexBot Twitter account was created in 2015 and has only 157 tweets to date. The tweets made by this account seems to indicate the authors monitor security researchers who work on their product closely. They even comment when analysts come to the wrong conclusions.
The only account followed by this Twitter account is MalwareTech (@MalwareTechBlog) which belongs to the UK security researcher Marcus Hutchins; who found the WannaCry kill switch.
Marcus Hutchins is currently facing charges from the FBI for creating the UPAS Kit malware. He has been in trouble in the past for allegedly creating the banking trojan Kronos.