Banking Trojan Dridex Evolves and Starts to Spread
Posted by: Timothy Weaver on 02/28/2017 08:46 PM
[
Comments
]
Dridex banking trojan comes out with version 4 and IT pro's are worried.
Dridex relies on Hidden - Virtual Desktops to control infected computers via establish hidden connections. Experts say that what changed in Dridex v4 is how the banking trojan loads its malicious code into the host's memory.
Older versions of Dridex would use injection methods into various Windows API calls to load snippets of their malicious code which researchers could track and stop.
Dridex v4 now uses a technique discovered by enSilo researchers in late October 2016.
This new and somewhat ground-breaking code injection technique is called AtomBombing. In a very simple explanation, the technique relies on storing malicious snippets of code inside atom tables.
Attackers could store hidden code in these atom tables and call them up without invoking API calls.
enSilo researchers knew that Microsoft couldn't fix this issue because it would require rewriting a large amount of the operating system. However, they are hoping that with this fresh information, anti-virus companies can address the issues.
According to IBM, recent Dridex v4 samples targeted only customers of UK banks, but v4 is expected to spread to other countries.
Source: Bleeping Computer
Dridex relies on Hidden - Virtual Desktops to control infected computers via establish hidden connections. Experts say that what changed in Dridex v4 is how the banking trojan loads its malicious code into the host's memory.Older versions of Dridex would use injection methods into various Windows API calls to load snippets of their malicious code which researchers could track and stop.
Dridex v4 now uses a technique discovered by enSilo researchers in late October 2016.
This new and somewhat ground-breaking code injection technique is called AtomBombing. In a very simple explanation, the technique relies on storing malicious snippets of code inside atom tables.
Attackers could store hidden code in these atom tables and call them up without invoking API calls.
enSilo researchers knew that Microsoft couldn't fix this issue because it would require rewriting a large amount of the operating system. However, they are hoping that with this fresh information, anti-virus companies can address the issues.
According to IBM, recent Dridex v4 samples targeted only customers of UK banks, but v4 is expected to spread to other countries.
Source: Bleeping Computer
Comments
