Dridex v4 - AtomBombing and other surprises

Wednesday 4 October 14:30 - 15:00, Red room

Magal Baz (IBM)

This February, we discovered that Dridex, one of the best known financial trojans, recently underwent a major version upgrade, and now boasts the AtomBombing injection technique.

AtomBombing, exposed by enSilo, is an innovative technique that allows for stealthy code injection in Windows machines, and Dridex's authors have adapted key elements from it. However, Dridex's implementation is unique and deviates from that presented by enSilo. This new feature is part of the release of a new major version of Dridex (v4), which includes several other upgrades, such as convoluted cryptographic protections. In this talk I will present Dridex's version of AtomBombing in depth, and analyse the weaker and stronger elements in it, in comparison both with enSilo's version and with more traditional injection methods. I will explore the classic challenge of stealthy code injection from an analytical perspective, and see what novelties this method brings to the table; I will show that it does have genuine novelty in some of its elements, while others are simply reorganization of the classic injection flow.

I will also address the evolution of cryptographic methods used by Dridex. The new Dridex version has several cryptographic upgrades, which follow the unique approach the authors have demonstrated from the malware's early days. Over the past two years, Dridex's cryptography has evolved constantly, while relying almost solely on the RC4 cipher and basic XOR encryption. Using these two basic ingredients, the authors create more and more convoluted encryption schemes, and the recent version actually encrypts every single configuration string with its own RC4 key. They seem to prefer obfuscation and proprietary schemes, rather than relying on cryptographic sophistication. The logic behind this preference might be that such proprietary schemes are easy to create, while for researchers they generate a great deal of work in deciphering. I will walk through the evolution of Dridex's encryption over the past two years, and focus on recent updates.



Magal Baz

Magal Baz was born in a Kibbutz in Israel in 1989. In 2015 he joined IBM Trusteer as a malware researcher, focusing on financial malware families. Magal has a keen interest in network security, reverse engineering and malware analysis. His other interests include hiking, rock climbing, history and philosophy.











Other VB2017 papers

Keynote address: Inside Cloudbleed

John Graham-Cumming (Cloudflare)

In February 2017, Cloudflare was revealed to have been leaking private information including HTTP headers, cookies and POST data…

The state of cybersecurity in Africa: Kenya

Tyrus Kamau (Euclid Consultancy)

The cyber threats Kenya faces range from basic hacking such as website defacements, financial fraud, social media account…

XAgent: APT28 cyber espionage on macOS

Tiberius Axinte (Bitdefender)

This paper provides an in-depth analysis of the macOS version of the APT28 component known as XAgent. We will dissect the…