Dridex uses technique called AtomBombing

Security researchers have discovered a new variant of the Dridex banking Trojan. It has been seen to be using a technique known as AtomBombing.

Threat ID:: CC-1243
Category:: Trojan
Threat Severity:: Medium
Threat Vector:: Exploit
Published:: 8 March 2017 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

Security researchers have discovered a new variant of the Dridex banking Trojan. It has been seen to be using a technique known as AtomBombing.

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

All Windows Versions

Threat details

This is where the Atom table in Windows operating systems is used to inject code into the processes of trusted applications.

Dridex has received a number of recent updates and is the first banking to Trojan to use the technique called AtomBombing

AtomBombing is where the Atom table in Windows operating systems is used to inject code into the processes of trusted applications.

Dridex Version 4 also uses a new encryption algorithm to encrypt the configuration file and no longer makes any API calls which makes detection harder.

The malware has been seen to be targeting banks in the UK, but it is anticipated that it will spread to other countries in the near future.

Remediation steps

Type	Step
	Never open email attachments from untrusted sources. Ensure that macros are disabled by default for files from untrusted sources. Make sure that malware detections are kept up-to-date. Monitor network and proxy logs for suspicious activity. Make sure that cyber awareness training is kept up-to-date.

Last edited: 11 January 2022 11:22 am