News broke yesterday that Dridex, one of the most destructive banking Trojans in the financial cybercrime landscape, recently underwent a version update which has equipped the malware with new capabilities known as AtomBombing.
Researchers from IBM X-Force discovered that Dridex now has a new sophisticated injection technique and evasive capabilities which are already active in the wild, being used in online banking attacks in Europe.
IBM said its cybercrime labs detected the latest version of Dridex (v4) a few weeks ago, claiming the malware is the first banking Trojan it has come across to use AtomBombing. This is significant, IBM added, as organized cybercrime gangs using banking Trojans will be likely to adopt the same method in the future.
What’s more, Dridex’s developers also worked on a major upgrade to the malware’s configuration encryption. This upgrade includes implementing a modified naming algorithm, a robust but easy-to-spot persistence mechanism and a few additional enhancements.
Speaking to Infosecurity Luis Corrons, PandaLabs technical director, Panda Security, said the Dridex update is clear proof that cyber-criminals continually "keep up to date with new technologies, and try to get advantages of them to make their attacks better."
“The release of a major version upgrade is a big deal for any software, and the same goes for malware,” IBM added. “The significance of this upgrade is that Dridex continues to evolve in sophistication, investing in further efforts to evade security and enhance its capabilities to enable financial fraud.
“We noted that special attention was given to dodging antivirus (AV) products and hindering research by adopting a series of enhanced anti-research and anti-AV capabilities.”
The changes to Dridex’s code injection method are among the most significant enhancements in v4. They allow Dridex to propagate in the infected endpoint with minimal calls to marked API functions, said IBM.