Dridex v4 - AtomBombing and other surprises

Presented at VB2017, Oct. 4, 2017, 2:30 p.m. (30 minutes)

This February, we discovered that Dridex, one of the best known financial trojans, recently underwent a major version upgrade, and now boasts the AtomBombing injection technique. AtomBombing, exposed by *enSilo*, is an innovative technique that allows for stealthy code injection in *Windows* machines, and Dridex's authors have adapted key elements from it. However, Dridex's implementation is unique and deviates from that presented by *enSilo*. This new feature is part of the release of a new major version of Dridex (v4), which includes several other upgrades, such as convoluted cryptographic protections. In this talk I will present Dridex's version of AtomBombing in depth, and analyse the weaker and stronger elements in it, in comparison both with *enSilo*'s version and with more traditional injection methods. I will explore the classic challenge of stealthy code injection from an analytical perspective, and see what novelties this method brings to the table; I will show that it does have genuine novelty in some of its elements, while others are simply reorganization of the classic injection flow. I will also address the evolution of cryptographic methods used by Dridex. The new Dridex version has several cryptographic upgrades, which follow the unique approach the authors have demonstrated from the malware's early days. Over the past two years, Dridex's cryptography has evolved constantly, while relying almost solely on the RC4 cipher and basic XOR encryption. Using these two basic ingredients, the authors create more and more convoluted encryption schemes, and the recent version actually encrypts every single configuration string with its own RC4 key. They seem to prefer obfuscation and proprietary schemes, rather than relying on cryptographic sophistication. The logic behind this preference might be that such proprietary schemes are easy to create, while for researchers they generate a great deal of work in deciphering. I will walk through the evolution of Dridex's encryption over the past two years, and focus on recent updates.

Presenters:

• Magal Baz - IBM
  Magal Baz Magal Baz was born in a Kibbutz in Israel in 1989. In 2015 he joined IBM Trusteer as a malware researcher, focusing on financial malware families. Magal has a keen interest in network security, reverse engineering and malware analysis. His other interests include hiking, rock climbing, history and philosophy. @mb1687

Links:

• https://www.virusbulletin.com/conference/vb2017/abstracts/dridex-v4-atombombing-and-other-surprises

Similar Presentations:

• NorthSec 2017 / Cracking Custom Encryption - An Intuitive Approach to Uncovering Malware's Protected Data
• GrrCON 2019 / The Spider Economy: Emotet, Dridex, and TrickBot, Oh My
• BSides Austin 2017 / DridexV4: What's under the hood?