Dridex Banking Trojan Gains "AtomBombing" Code

This week, the Alert Logic ActiveIntelligence team highlights how UK's Largest Hospital Trust Suffers Cyberattack and how a Dridex Banking Trojan Gains ‘AtomBombing’ Code.

Malware

Dridex Banking Trojan Gains ‘AtomBombing’ Code

Developers behind Dridex have launched a major new version of the banking trojan, one that employs a unique method for injecting malicious code based on a novel technique called AtomBombing. The new version of the Dridex banking malware has been detected targeting European banks and is expected to be used against U.S. financial institutions in the coming months. Dridex 4 incorporates the usual range of software improvements that we have come to expect from professionally maintained malware -- but it is also the first major malware to have adopted the new code injection technique known as 'AtomBombing'.

Security researchers believe that Dridex is part of the growing trend towards file-less malware which will allow the malware to protect itself from the prying eyes of security researchers.

References: Dridex Trojan Gets A Major ‘AtomBombing’ Update | New Dridex Borrows From AtomBombing Code Injection Technique, UK Banks Already Targeted | New Malware Will Soon Start "AtomBombing" U.S.

Mitigation Strategies:

  • Anti-virus would detect file infection on the local host
  • FIM solution would detect any type of file modification or addition
  • Intrusion detection system (IDS) signatures would detect intrusion and network anomalies
  • Security Operations Center team provides 24x7 security monitoring, daily log review, web application firewall management and advanced anomaly detection.
  • Log management could detect any suspicious user account activity
  • Mail filtration would scan incoming files and hyperlinks of any malicious links or code
  • Netflow traffic shows large data transfers and potential data leakage. Netflow traffic may also reveal outbound connections to countries you may not do business in, which may be an indicator of malicious activity.

Breach

UK's Largest Hospital Trust Suffers Cyberattack

In January, the largest NHS trust in Britain went under a “major” cyberattack, with thousands of sensitive files compromised and pathology systems taken offline.The malware attack, which forced parts of the UK's largest hospital group offline, has now been blamed on a new form of malware, which bypassed antivirus software and infected the network. 

There's no indication of how exactly the malware, which the trust said previously was a Trojan, managed to infiltrate hospital systems. Barts Health NHS Trust is currently carrying out a "serious incident investigation" into the event.

References: Barts Trust Suffers Cyberattack | UK's Largest Hospital Trust Battles Friday 13th Malware Outbreak | Four Major UK Hospitals Targeted In Malware Attack

Mitigation Strategies:

  • FIM solution would detect any type of file modification or addition
  • Intrusion detection system (IDS) signatures would detect intrusion and network anomalies
  • Security Operations Center team provides 24x7 security monitoring, daily log review, web application firewall management and advanced anomaly detection.
  • Log management could detect any suspicious user account activity
  • Mail filtration would scan incoming files and hyperlinks of any malicious links or code
  • Netflow traffic shows large data transfers and potential data leakage. Netflow traffic may also reveal outbound connections to countries you may not do business in, which may be an indicator of malicious activity.

This Week's Suspicious IP Addresses

61.177.172.37 61.177.172.19
166.111.77.32 188.118.2.26
81.183.56.217 46.109.168.179

*IP addresses provided by Recorded Future.