Wednesday 4 October 14:30 - 15:00, Red room
Magal Baz (IBM)
This February, we discovered that Dridex, one of the best known financial trojans, recently underwent a major version upgrade, and now boasts the AtomBombing injection technique.
AtomBombing, exposed by enSilo, is an innovative technique that allows for stealthy code injection in Windows machines, and Dridex's authors have adapted key elements from it. However, Dridex's implementation is unique and deviates from that presented by enSilo. This new feature is part of the release of a new major version of Dridex (v4), which includes several other upgrades, such as convoluted cryptographic protections. In this talk I will present Dridex's version of AtomBombing in depth, and analyse the weaker and stronger elements in it, in comparison both with enSilo's version and with more traditional injection methods. I will explore the classic challenge of stealthy code injection from an analytical perspective, and see what novelties this method brings to the table; I will show that it does have genuine novelty in some of its elements, while others are simply reorganization of the classic injection flow.
I will also address the evolution of cryptographic methods used by Dridex. The new Dridex version has several cryptographic upgrades, which follow the unique approach the authors have demonstrated from the malware's early days. Over the past two years, Dridex's cryptography has evolved constantly, while relying almost solely on the RC4 cipher and basic XOR encryption. Using these two basic ingredients, the authors create more and more convoluted encryption schemes, and the recent version actually encrypts every single configuration string with its own RC4 key. They seem to prefer obfuscation and proprietary schemes, rather than relying on cryptographic sophistication. The logic behind this preference might be that such proprietary schemes are easy to create, while for researchers they generate a great deal of work in deciphering. I will walk through the evolution of Dridex's encryption over the past two years, and focus on recent updates.