AtomBombing Goes Nuclear
In late 2016, enSilo researchers shared AtomBombing with the security world. More of a “proof of concept” than an actual exploit, AtomBombing took advantage of Microsoft Windows built-in atom tables that would allow specific API calls to inject code into the read-write memory space of a targeted process.
(NOTE: enSilo endpoint protection software protects against Dridex v4 malware out-of-the-box.)
Cut to now. IBM researchers have just discovered that Dridex, one of the most well known strains of banking malware has been updated to use AtomBombing. In its fourth major revision since its launch in 2014, Dridex leverages most of the enSilo team’s original proof of concept. However, the malware creators have modified enSilo’s approach by developing their own injection method, one that uses AtomBombing to write their payload to the desired memory location while using separate methods to modify permissions and execute the code.
Dridex v4 is active now and is known to be aggressively targeting the customers of banks in the UK. While this is the first malware known to actively utilize AtomBombing, it is likely only a matter of time before the technique finds its way into other platforms.
This latest release of Dridex not only leverages the strengths of AtomBombing, but also shows that the developers have spent a great deal of time and effort to ensure that the malware avoids detection by AV products.
AtomBombing is not a “bug” that causes the software to behave badly. This is a legitimate part of the operating system performing as designed. enSilo’s prediction is that attackers will continue to leverage such legitimate operating system functionality to avoid detection. After all, the technique that the researchers showed does not exploit a vulnerability that can be patched by Microsoft.
Evolving threats such as Dridex are why enSilo uses post-infection protection techniques to stop malware. With advanced attacks, compromise is always possible. Post-infection protections stop attacks from stealing, or maliciously modifying vital data.
enSilo can detect and block malware that uses AtomBombing as its code injection technique.
While AtomBombing uses a built-in component in the Windows operating system, the net result of the injection is still the same: the attackers are still after data. The moment an attack manages to compromise an endpoint, it must still either attempt to modify files or try to communicate to a command and control server.
enSilo stops this behavior cold and prevents data ransoming, tampering or theft.
To learn more:
Learn how attackers exploit design vulnerabilities to appear legitimate