• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

U.S. CISA adds Cisco ISE and PaperCut NG/MF flaws to its Known Exploited Vulnerabilities catalog

 | 

Critical WordPress Post SMTP plugin flaw exposes 200K+ sites to full takeover

 | 

Scattered Spider targets VMware ESXi in using social engineering

 | 

China-linked group Fire Ant exploits VMware and F5 flaws since early 2025

 | 

Allianz Life data breach exposed the data of most of its 1.4M customers

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 55

 | 

Security Affairs newsletter Round 534 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Law enforcement operations seized BlackSuit ransomware gang’s darknet sites

 | 

Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme

 | 

Operation CargoTalon targets Russia’s aerospace with EAGLET malware,

 | 

Unpatched flaw in EoL LG LNV5110R cameras lets hackers gain Admin access

 | 

Koske, a new AI-Generated Linux malware appears in the threat landscape

 | 

Mitel patches critical MiVoice MX-ONE Auth bypass flaw

 | 

Coyote malware is first-ever malware abusing Windows UI Automation

 | 

SonicWall fixed critical flaw in SMA 100 devices exploited in Overstep malware attacks

 | 

DSPM & AI Are Booming: $17.87B and $4.8T Markets by 2033

 | 

Stealth backdoor found in WordPress mu-Plugins folder

 | 

U.S. CISA adds CrushFTP, Google Chromium, and SysAid flaws to its Known Exploited Vulnerabilities catalog

 | 

U.S. CISA urges FCEB agencies to fix two Microsoft SharePoint flaws immediately and added them to its Known Exploited Vulnerabilities catalog

 | 

Sophos fixed two critical Sophos Firewall vulnerabilities

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Cyber Crime
  • Malware
  • Dridex v4, the dreaded malware has been improved with AtomBombing technique

Dridex v4, the dreaded malware has been improved with AtomBombing technique

Pierluigi Paganini March 01, 2017

Malware author are using Dridex v4 in the wild, an improved version of the Trojan that includes a new injection method known as AtomBombing.

According to researchers with IBM X-Force, vxers have improved the Dridex banking Trojan adding a new injection method for evading detection, the technique is known as AtomBombing.

The researchers have spotted a new sample of the threat, so called Dridex v4, earlier this month. The malware was used in campaigns against banks in UK and experts believe it will be used to target financial institution worldwide very soon.

“IBM X-Force discovered that Dridex, one of the most nefarious banking Trojans active in the financial cybercrime arena, recently underwent a major version upgrade that is already active in online banking attacks in Europe.” reads the analysis published by IBM.

“In this release, we noted that special attention was given to dodging antivirus (AV) products and hindering research by adopting a series of enhanced anti-research and anti-AV capabilities. The changes to Dridex’s code injection method are among the most significant enhancements in v4. They allow Dridex to propagate in the infected endpoint with minimal calls to marked API functions.” 

The Dridex v4 maintained the capabilities observed in a previous release, it is a malware focused on banking activities, it monitors the victim’s online banking operations and steals login and account information.

The code injection method was significantly improved because previous versions have become too easy to detect due to the use of well known API calls, that’s why the authors leverage AtomBombing in a new version of Dridex.

The AtomBombing is not a novelty in the threat landscape, in October, security experts from security firm ENSILO have devised the method to inject malicious code in Windows operating system that could not be detected by modern anti-malware tools.

The Atom Tables are data structures used by the operating system to store strings with an identifier to access them, they could have a global or local scope.

“AtomBombing makes use of Windows’ atom tables and the native API NtQueueApcThread to copy a payload into a read-write memory space in the target process,” according to the report authors. “It then uses NtSetContextThread to invoke a simple return-oriented programming chain that allocates read/write/execute memory, copies the payload into it and executes it. Finally, it restores the original context of the hijacked thread.”

“An atom table is a system-defined table that stores strings and corresponding identifiers. An application places a string in an atom table and receives a 16-bit integer, called an atom, that can be used to access the string. A string that has been placed in an atom table is called an atom name.” reads a description published by Microsoft on the Atom Tables.

“The system provides a number of atom tables. Each atom table serves a different purpose. For example, Dynamic Data Exchange (DDE) applications use the global atom table to share item-name and topic-name strings with other applications.”

The attackers can then write malicious code into an atom table and force a legitimate application to retrieve it from the table. Once the code is retrieved by the legitimate application, it is possible to manipulate it triggering the execution of the malicious code.

Back to Dridex v4, the authors leverage on the AtomBombing technique to hide the malicious payload in the Atom Tables.

“In our analysis of the new Dridex v4 release, we discovered that the malware’s authors have devised their own injection method, using the first step of the AtomBombing technique. They use the atom tables and NtQueueAPCThread to copy a payload and an import table into a RW memory space in the target process. But they only went halfway — they used the AtomBombing technique for the writing of the payload, then used a different method to achieve execution permissions, and for the execution itself.” reads the analysis shared by IBM.

This implementation of the AtomBombing technique is unique for banking malware coding, and it isn’t the only one for Dridex v4.

Other improvements include the enhancement to the encryption for its configuration, a modified naming algorithm, and an updated mechanism to gain persistence on the infected machine.

The evolution of the Dridex Trojan continues, last time we read about this threat was in January when researchers at Flashpoint discovered a new variant leveraging a new tactic to bypass the UAC (User Account Control).

Stay tuned …

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Dridex v4,  banking trojan)


facebook linkedin twitter

Atom Tables AtomBombing banking trojan Dridex v4 Hacking Windows

you might also like

Pierluigi Paganini July 28, 2025
U.S. CISA adds Cisco ISE and PaperCut NG/MF flaws to its Known Exploited Vulnerabilities catalog
Read more
Pierluigi Paganini July 28, 2025
Critical WordPress Post SMTP plugin flaw exposes 200K+ sites to full takeover
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    U.S. CISA adds Cisco ISE and PaperCut NG/MF flaws to its Known Exploited Vulnerabilities catalog

    Security / July 28, 2025

    Critical WordPress Post SMTP plugin flaw exposes 200K+ sites to full takeover

    Security / July 28, 2025

    Scattered Spider targets VMware ESXi in using social engineering

    Cyber Crime / July 28, 2025

    China-linked group Fire Ant exploits VMware and F5 flaws since early 2025

    Hacking / July 28, 2025

    Allianz Life data breach exposed the data of most of its 1.4M customers

    Data Breach / July 27, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT