The updated Dridex version and its capabilities
The well-known Dridex Trojan has covered with an upgrade which equips the malware with a new, complex injection technique and best ever evasive capabilities known as AtomBombing.
The latest version of the financial Trojan, version four, was discovered several weeks ago. The discovery of AtomBombing included in the malware is the first example of banking malware utilising the sophisticated coding.
IBM says that the discovery is important as it is possible other bad guys will adapt their own Trojan codes to become just as dangerous in the future, and banks must keep up with these evolving threats to ensure their customers are as safe as possible when using online systems.
Dridex is one of the most well-known dangerous Trojans to hit European financial institutions. The Trojan often penetrates victim PCs through malicious macros embedded in Microsoft documents or through web injection attacks, and once a system is compromised, steals online banking credentials and financial information.
Dridex was first spotted in 2014 after spreading through a spam campaign in the United Kingdom.The creators of Dridex have chosen to use only a part of this exploit. The malware copies a payload into a read-write memory space in the target process but uses a different method to write and execute the payload.
Instead risk suspicious calls to Windows APIs, Dridex calls a virtual memory process to change the memory already written into the process.
The researchers say that Dridex's developers have also improved the Trojan's configuration encryption and persistence mechanisms.
Dridex V.4 is already out and actively attacking UK banks through redirection schemes and the malware's VNC RAT capabilities, which appear to have replaced the Trojan's web injection methods which were once the most common ways used to target potential victims.