In 2014, the Dridex Trojan appeared on the scene when an onslaught of spam emails containing infected macro-enabled attachments were sent to unsuspecting users throughout the UK. An evolved version of ZeuS, Dridex’ primary focus at the time was to steal banking credentials. If the attachment in the malicious email were executed, Dridex would monitor users accessing banking information through keylogging, site injections, and even screenshots—with successfully stolen data often sent to and sold on dark web marketplaces.
By 2015, Dridex had gone international and was also targeting credentials for corporate networks in order gain access to internal systems and steal confidential information. And last year, Dridex began to both target Bitcoin wallets and was linked to Cerber ransomware attacks.
This year it has evolved even further, with a new code-injection capability that exploits Windows atom tables. Atom tables are used to link data strings and their complementary identifiers. This new capability, known as AtomBombing, deceives healthy applications or processes into retrieving the malicious code from the atom table, and then executing it.
And here’s the clincher, currently security researchers see no fix in sight, as AtomBombing functions more organically within Windows than typical malware. It doesn’t build upon on defective code, it instead assimilates itself into the atom tables’ core functionality, which makes this difficult, if not impossible to patch.
Dridex implements some features from AtomBombing in order to more easily go undetected, circumvent antivirus and malware prevention software, and execute payloads. Avoiding typical techniques that might flag these solutions, such API calls, allows for this version of Dridex to draw less attention to itself and work more effectively.
Antivirus companies are currently working towards detection mechanisms for the newest version of Dridex. However, it is always recommended that users practice good computer hygiene, verify the source from which an email was sent, avoid clicking links or downloading attachments that come from unknown sources, and regularly maintain system and software patches and updates.