This report is being provided to our Small Business Alliance membership for situation awareness. Dridex is perhaps one of the most sophisticated banking trojans in the wild to date. The authors keep Dridex relevant through continuous development with new versions appearing every year. Recently, the authors of Dridex added a new code injection technique called Atom Bombing.
Atom Bombing (AB) works on all versions of Windows and is undetectable by most current security solutions. The current unknown actors behind the banking trojan Dridex, implemented AB almost immediately after it was released in open source. This report examines the AB technique and its use by the authors of Dridex.
Analysis
Atom Bombing is a code injection technique that works by manipulating atom tables. An atom table is a system-defined table that stores strings and corresponding identifiers[1]. There are two kinds of atom tables found in Windows OS and AB works by utilizing the global atom table.
- Local atom table – accessible to a single process – managed by user mode.
- Global atom table – accessible across processes – managed by the kernel.
The technique uses the following API calls:
- GlobalAddAtom – Adds a string to the global atom table and returns a unique 16-bit integer identifying the string.
- GlobalGetAtomName – Retrieves a copy of the string associated with the specified global atom.
Calling GlobalAddAtom, an attacker can store a null terminated buffer in the global atom table which is accessible from other processes on the host system. By calling GlobalGetAtom the buffer contents are retrieved. Using this system an attacker could store a string containing shell code in the atom table, which could then be called with the corresponding 16-bit integer.
Dridex
Dridex is perhaps one of the most sophisticated banking trojans in the wild to date. The authors keep Dridex relevant through continuous development with new versions appearing every year. The authors behind Dridex are responsible for the creation of some of the largest botnets to date like Gameover Zeus and Necurs, and the creation of a new Ransomware variant known as Bitpaymer/FriedEx.
Figure 1 Gameover Zeus and Necurs Botnet
Dridex is the first malware family to incorporate Atom Bombing. The Twitter account DridexBot used by the actors acknowledges they started using this technique after the original POC was released. The tweets below show the Dridex authors mocking security researchers for taking so long to realize they were using AB.
Figure 2. DridexBot Atom Bombing Tweets
The DridexBot Twitter account was created in 2015 and has only 157 tweets to date. The tweets made by this account seems to indicate bad authors monitor security researchers who work on their product closely. They even comment when analysts come to the wrong conclusions.
Figure 3. DridexBot Tweets to Analysts
The only account followed by this Twitter account is MalwareTech (@MalwareTechBlog) which belongs to the UK security researcher Marcus Hutchins; who found the WannaCry kill switch.
Figure 4. @MalwareTechBlog Twitter
Marcus Hutchins is currently facing charges from the FBI for creating the UPAS Kit malware. He has been in trouble in the past for allegedly creating the banking trojan Kronos.
Figure 5. Marcus Hutchins @MalwareTechBlog
Additional Reporting:
** A full technical report on Dridex and associated Atom Bombing code injection is being researched by Wapack Labs and will be available soon.
Conclusion
For our Small Business Alliance, we can at this time only present a cautionary note to our members. Dridex is a very high-level banking trojan, to which many cyber security experts and technology companies are currently researching mitigation strategies. The issue is a cat and mouse scenario where the bad actors keep changing Dridex with new versions appearing every year. The Atom Bombing code injection just adds to this dilemma. Basic cyber security practices must always be stressed within your businesses and if needed, seek Wapack Labs cyber security support.
Atom Bombing (AB) works on all versions of Windows and is undetectable by most current security solutions. The current unknown actors behind the banking trojan Dridex, implemented AB almost immediately after it was released in open source. This report examines the AB technique and its use by the authors of Dridex.
[1] https://docs.microsoft.com/en-us/windows/desktop/dataxchg/about-atom-tables
Comments