IBM X-Force Threat Intelligence analysts’ team keeps track of the most recent Internet threats. Unexpectedly, Dridex banking Trojan emerged and renewed its activity once again. IBM announced that a forth version of this malware has been developed and it is more than ever determined to disrupt. From the first appearance of Dridex in 2014, with every new update, the malware slightly drifted from the way it was originally created.
Still, operation that Dridex banking Trojan begins is not that different from its 3.0 version which was released in April of 2015. Even though Hidden VNC is not always incorporated into the plan, but Dridex does use it to successfully implement the creation of concealed connections to hosts. Basically, the novel sample of Dridex will redirect infected users into fake online banking sites via a proxy server. Version 4 does differ in one significant aspect: before, Dridex inserted malicious codes into the victims’ device. Now, it appears to have switched to uploading those codes in the memory of the host. It no longer holds Windows API calls as a priority and attempts to try out a new, explosive twist. If Create Remote Threat technique used API quite too obviously and gave more chances for victims to be alerted, then the novel method will be much more secretive.
Besides the earlier mentioned novelties, Dridex was also updated in a couple of different areas as well. It improved encryption and put a lot of efforts in keeping its presence a secret. AtomBombing is used for the exact same purpose: to make it even more complex to notice Dridex in action.
AtomBombing might sound unfamiliar, but it was first introduced in 2016. It is much easier to conceal the activity of a banking Trojan if these malware threats take advantage of the strategy that enSilo figured out. No application program interface calls are necessary which usually is the main giveaway for banking Trojans. Instead of the older technique, hackers are now trying the slopes with AtomBombing. It basically focuses on Window’s atom tables and NtQueueApcThread to place the main payload of the Trojan in read and write memory. However, this is where the utilization of AtomBombing stopped as the hackers then proceeded with their own unique interpretation of the tactic. They used a different approach to obtain validation for the process of execution.
Banking Trojans are extremely dangerous as their mission is to steal sensitive information from their victims. Credentials for online banking accounts is the main target. If hackers get their hands full with such information, they will surely enjoy cleaning your bank account. Thankfully, there are certain techniques that banking services can exploit to make their security stronger.
Source: eweek.com.