Author: Cody Mercer – Senior Threat Intelligence Research Analyst
A newly discovered modified version of Dridex, now termed ‘Dridex v4’, has been recognized in the wild in recent days. The upgraded version of the Dridex Trojan was at one time one of the most successful bank Trojans originally discovered in 2014 and has since re-emerged.
Previously, the Dridex source code utilized a modified version of the Bugat Trojan which was very successful in 2010, but has since morphed into its new malware form derived from modified variations of Cridex and Feodo. The new version of Dridex v4 has significant code modifications and improvement in its use of AtomBombing technology to inject malicious code to avoid anti-virus software killing.
Threat Campaigns & Attack Vectors
The Dridex v4 Trojan is deployed via a spamming or spear-phishing campaign were an unsuspecting victim downloads and opens a .doc document that has the malware embedded into its Microsoft macro source code. During the Trojans heyday back in 2014, it was stated that nearly 15,000 emails were being deployed via spamming and email phishing techniques and procedures.
The principal effects of the compromised assets include stealing banking credentials and other forms of customer PII (Personally Identifiable Information) located on the infected system. Moreover, the ability to steal financial documentation and other forms of banking data is now a possibility with the deployment of the Dridex v4 Trojan.
A standard financial malware attack vector follows a cyclical process as indicated in the following steps:
- Injection of code into allocated storage or computer memory
- Once code has been injected into the allocated memory the malware payload is installed
- After payload has been properly installed and confirmed the execution of the payload occurs
API calls are usually the preferred method to execute the payloads and make use of the following API commands:
- VirtualAllocEx – buffer allocation w/ RWX capabilities
- WriteProcessMemory – payload copy
- CreateRemoteThread – payload execution
However, because this a commonly recognized API TTP (Technique, Tactic, Procedure) process, security appliances and software applications have developed the necessary signatures and mechanisms necessary to identify and recognize this common malware attack vector process. Therefore, the enhanced version of the Dridex v4 utilizes what is known as the Atombombing exploit along with additional anti-evading and sandbox forensics recognition.
As previously stated, the Dridex v4 employs various attack mechanisms that were once used in a very successful exploit known as Atombombing. According to author Magal Baz (2017), “Rather, AtomBombing makes use of Windows’ atom tables and the native API NtQueueApcThread to copy a payload into a read-write (RW) memory space in the target process. It then uses NtSetContextThread to invoke a simple return-oriented programming (ROP) chain that allocates read/write/execute (RWX) memory, copies the payload into it and executes it. Finally, it restores the original context of the hijacked thread.”
Although, X-Force Exchange researchers at IBM were able to determine that only a percentage of the Atombombing tactic is being utilized by Dridex v4 to prevent recognition of the exploit. Instead of using full API services supplied by the Atombombing technique slight modifications permit for anti-identification of the attack vector.
Per Baz (2017), “At this point, the flow differs from the one described in the AtomBombing technique. To get the payload into an executable memory space, Dridex simply calls NtProtectVirtualMemory from the injecting process to change the memory where the payload is already written into RWX. It’s a simple fix and a small compromise for the sake of the overall technique, designed to avoid making suspicious API calls, which are usually monitored by security software.”
The Dridex v4 financial malware attack has incessantly evolved since its birth in 2014. The strain continues to morph preventing standard cyber-security protective appliances and software from recognizing and/or protecting its supposed environment. It is highly recommended that you consider using one or several of the security solutions provided by NSFOCS’s to guarantee safeguarded measures for your environment.
NSFOCUS’s Recommended Solutions & Best Practices
- If a discovered threat exploits one or more network services immediately disable and block access to those services until a patch has been applied.
- Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
- Firewall use should be heavily applied to block all incoming connections from external sources to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want publicly accessible.
- Enforce a strict password policy. Complex passwords make it difficult to crack password files on compromised computers.
- Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
- Configure your email server to block or remove emails that contain file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif, .doc and .scr files.
- Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
- Train employees not to open email attachments unless they are expected from an outside source. Moreover, do not execute software that is downloaded from the Internet unless it has been scanned for viruses.
NSFOCUS IB is a wholly owned subsidiary of NSFOCUS, an enterprise application and network security provider, with operations in the Americas, Europe, the Middle East, Southeast Asia and Japan. NSFOCUS IB has a proven track record of combatting the increasingly complex cyber threat landscape through the construction and implementation of multi-layered defense systems. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide unified, multi-layer protection from advanced cyber threats.
For more information about NSFOCUS, please visit:
Baz, M. (2017). Dridex’s Cold War: Enter Atombombing. Retrieved from: https://securityintelligence.com/dridexs-cold-war-enter-atombombing/