Dridex v4 - AtomBombing and other surprises

Wednesday 4 October 14:30 - 15:00, Red room

Magal Baz (IBM)

This February, we discovered that Dridex, one of the best known financial trojans, recently underwent a major version upgrade, and now boasts the AtomBombing injection technique.

AtomBombing, exposed by enSilo, is an innovative technique that allows for stealthy code injection in Windows machines, and Dridex's authors have adapted key elements from it. However, Dridex's implementation is unique and deviates from that presented by enSilo. This new feature is part of the release of a new major version of Dridex (v4), which includes several other upgrades, such as convoluted cryptographic protections. In this talk I will present Dridex's version of AtomBombing in depth, and analyse the weaker and stronger elements in it, in comparison both with enSilo's version and with more traditional injection methods. I will explore the classic challenge of stealthy code injection from an analytical perspective, and see what novelties this method brings to the table; I will show that it does have genuine novelty in some of its elements, while others are simply reorganization of the classic injection flow.

I will also address the evolution of cryptographic methods used by Dridex. The new Dridex version has several cryptographic upgrades, which follow the unique approach the authors have demonstrated from the malware's early days. Over the past two years, Dridex's cryptography has evolved constantly, while relying almost solely on the RC4 cipher and basic XOR encryption. Using these two basic ingredients, the authors create more and more convoluted encryption schemes, and the recent version actually encrypts every single configuration string with its own RC4 key. They seem to prefer obfuscation and proprietary schemes, rather than relying on cryptographic sophistication. The logic behind this preference might be that such proprietary schemes are easy to create, while for researchers they generate a great deal of work in deciphering. I will walk through the evolution of Dridex's encryption over the past two years, and focus on recent updates.

 

Magal-Baz-web.jpg

Magal Baz

Magal Baz was born in a Kibbutz in Israel in 1989. In 2015 he joined IBM Trusteer as a malware researcher, focusing on financial malware families. Magal has a keen interest in network security, reverse engineering and malware analysis. His other interests include hiking, rock climbing, history and philosophy.

@mb1687



VB2018 MONTREAL!

VB2017 OVERVIEW

VB2017 SPEAKERS

VB2017 PROGRAMME

2017 PÉTER SZŐR AWARD


Other VB2017 papers

Walking in your enemy's shadow: when fourth-party collection becomes attribution hell

Juan Andres Guerrero-Saade (Kaspersky Lab)
Costin Raiu (Kaspersky Lab)

Attribution is complicated under the best of circumstances. Sparse attributory indicators and the possibility of overt…

XAgent: APT28 cyber espionage on macOS

Tiberius Axinte (Bitdefender)

This paper provides an in-depth analysis of the macOS version of the APT28 component known as XAgent. We will dissect the…

Keynote address: Inside Cloudbleed

John Graham-Cumming (Cloudflare)

In February 2017, Cloudflare was revealed to have been leaking private information including HTTP headers, cookies and POST data…

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.