In November of 2016, I wrote a blog titled “Atom Bombing: Three ways to protect yourself.” I discussed a new attack vector uncovered by security researchers at enSilo that allowed attackers to inject code directly into atom tables. Atom tables are present in all Windows operating systems and function in multiple ways across the operating system. Here is a link that can help you learn more about atom tables.
Dridex, a common banking malware, has evolved to include atom bombing into its attack vector. It doesn’t take long for criminals to adopt new attack methods and this is a clear example. The latest Dridex variant, called Dridex v4, utilizes atom tables to store its malicious code and calls that code using the same Windows API.
Those behind the Dridex variant cleverly wrote their new code to only utilize the first half of enSilo’s proof of concept exploit and then wrote their own code for the second half. This method still uses atom tables to load the malicious code into the victim’s computer memory, but it now does not use the same API and function calls, thus allowing it to bypass atom bombing detection mechanisms that were designed around enSilo’s findings.
Dridex v4 has also changed their encryption scheme, now using different encryption routines than prior versions did. Another update to Dridex was to their persistence mechanism. The authors of Dridex now use a DLL hijacking technique to create persistence. The malware copies an executable from system32 into a different directory and then replaces that DLL with its own malicious DLL. The malicious DLL mimics the legitimate DLL and loads the executable.
Dridex v4 has been spotted in the UK, targeting banks. If your business is a bank, credit union or other financial institution, this should spark your curiosity. Dridex specifically targets these kinds of institutions and as you can see, its authors are busy updating their malicious software to overcome your defenses. In cybersecurity there is no time to rest. Your enemies are constantly at work, updating their malicious software, probing your network and figuring out how to bypass your security measures and get at your data.
So, what do you do? How do you protect yourself from emerging threats such as the new and improved Dridex v4?
- Prepare. Preparation is the key element in cybersecurity. You must take your network security seriously and prepare for the eventual attack. This includes routine security measures such as anti-virus and firewall installation, but also goes far beyond those well-known security steps. You must have an active and ready incident response plan. You should be integrating threat intelligence with your security team and be testing your response procedures as well. The NTT Security Critical Incident Response Team can assist with preparing your incident response plan, as well as test your security team with tabletop exercises.
- Dedicated Security Team. If your company does not have a dedicated security team, then engage with a third party such as NTT Security. Many companies do find it hard to focus on security, so bringing in a third party can provide you with security experts to increase your security standing.
- Security Tools. Ensure your security tools are up to date with the latest signatures and indicators of compromise. Since malware is constantly changing and being updated, so should your security tools. Your enemies are constantly updating their software. Can you afford not to do the same?