10 months ago

Dridex has evolved, and now Dridex V4 uses Atom Bombing to perform process injection.

This method allows Dridex to perform sneaky injections to evade AV solutions.

In this post, we are going to explain how Dridex gain persistence in the system and how Dridex performs AtomBombing in detail.

Persistence

This Dridex version uses different techniques to persist into the system.

First the malware enumerates all executable files into the "C:\Windows\System32\" folder.

Dridex has a preloaded hash. For each filename, the malicious code calculates its hash. When the calculated hash matches with the Dridex preloaded hash, the malware will save the filename to use it later.

In the image below, in r12d we can found the preloaded hash and in RAX the filename hash, that Dridex is looking for. The malware compares both values. In this case matchs because the file that the malware was searching was "optionalfeatures.exe".

After choosing the executable, the malware reads the executable IAT and then selects a dll from the IAT. The malicious code will do that to use a dll hijacking technique. (In RDX we can find the import directory address).

When the dll is chosen from the executable IAT, Dridex reads and copies the EAT from the chosen dll. (In this case the selected dll is appwiz.dll).

You can find below the function that Dridex uses to obtain the EAT.

The EAT is copied into a buffer.

Once this is done, the malware copies itself and adds a new section into itself (This section has a random name). The dridex copies the obtained "EAT" in that section.

With this technique (DLL hijacking) when OptionalFeatures.exe is executed it will load appwiz.dll but appwiz.dll is a modified copy of dridex.

After get an executable and its modified dll, both files will be saved into the disk, then some registry keys will be added to execute the binary when the system boots.

The registry key is added with a random name in "..\SOFTWARE\Microsoft\Windows\CurrentVersion\Run{randomstring}"

A lnk file into startup folder.

Finally the malware copies another two files (an executable and a modified dll) into "C:\Windows\System32[0-9]{4}" folder and creates a programed task that will execute that executable each hour.

Notice that in each execution Dridex will choose a different executable file and a different dll for its persistence.

AtomBombing Injection

AtomBombing injection method is based in APC injection, but in this case, this method uses the Atoms (Windows Executive Objects) to hide and copy the shellcode into the process objetive.

The use of Atoms make the injection more stealthy because the AV products usually do not make any check when Atom creation or reading occurs.

In addition, is difficult to analyze in real time, because the malware analysts are not able to check the Atoms in an easy way, moreover Dridex delete the atoms during the injection process, making more difficult to obtain the shellcode via atoms.

In our opinion, we think that is more useful to obtain the shellcode directly from the injected process, and by that reason we are going to explain all the process showing the injection from the malicious Dridex DLL to the explorer.exe.

What Dridex does?

We are going to explain briefly, what are the steps that Dridex take in order to perform process injection via AtomBombing.

Looking for explorer.exe

The first step in this case, is to find explorer.exe, to do this, Dridex uses "CreateToolhelp32Snapshot"function to create an snapshot of all system processes, and then it will navigate among the processes using Process32FirstW and Process32NextW until explorer.exe is found.

Looking for alertable threads

In this step, an alertable thread is needed to perform APC calls. Because using APC calls Dridex will be able to execute specific functions into explorer.exe.

To acomplish this, Dridex will obtain the handle to the process using OpenProcess function.

The handle will be used to launch NtQueueApcThread function in all the explorer's threads, setting NtSetEvent as ApcRoutine.

NtQueueApcThread(

  IN HANDLE               ThreadHandle,
  IN PIO_APC_ROUTINE      ApcRoutine,
  IN PVOID                ApcRoutineContext OPTIONAL,
  IN PIO_STATUS_BLOCK     ApcStatusBlock OPTIONAL,
  IN ULONG                ApcReserved OPTIONAL );

The first thread that performs NtSetEvent will be the "chosen one" to perform the APC calls.

In this case, the thread that performed NtSetEvent first was the thread with 0xFC handle.

The handle 0xFC = Thread ID 920 (decimal) to hexadecimal 398

Writing the shellcode into explorer.exe

Now with the first thread that replied the APC call, the malicious DLL will performs the first "NtQueueApcThread" setting ntdll.memset to 0 where the code will be injected.

Memory of explorer.exe where memset was performed:

Now Dridex will create a new Atom with the first bytes that will be copied into explorer.exe.

The next function that will be used in conjuction with NtQueueApcThread will be GlobalGetAtomNameW.

As we can see, GlobalGetAtomNameW will be used with C06B, that is the name of the Atom that was created (used as container) in order to inject the data from Dridex.dll to explorer.exe

GlobalGetAtomNameW performed by explorer.exe because of the NtQueueApcThread call.

Data injected into explorer.exe in 775CAAA0 offset.

Shellcode functions

Dridex will continue injecting data into explorer.exe using the same technique:

Shellcode

When the first code has been injected, it will use memset to set to 0 -> 0x7758c5f0 (ntdll memory space):

Then using again AtomBombing it will inject the shellcode:

Modifying GlobalAtomGetAtomNameA to launch the shellcode

Now with all the necessary code injected into explorer.exe, Dridex will call the shellcode using this sneaky trick:

It will modify the original GlobalGetAtomNameA function, so that when GlobalGetAtomNameA will be called via NtQueueApcThread, the shellcode will be executed. Once the malicious DLL will launch the shellcode using this trick, it will restore GlobalGetAtomA.

After all this process, Dridex will check if there is any process opened with the names iexplorer.exe, chrome.exe, firefox.exe... In order to perform a new injection into the browser using the same tecnique again.

Why NTDLL?

ntdll.dll is one of the DLLs that are at the same address system-wide, that means that its functions addresses will be fixed among all the processes with the ntdll library loaded.

That makes the injection easier for Dridex, because it only has to know where the ntdll addresses have been loaded, looking into its process and with that information, it will perform injections in other processes because the functions addresses of NTDLL are fixed.

Other important libraries that have fixed addreses are kernel32 and user32.

Debugging advices, the explorer trick:

If you attach the x64dbg to explorer.exe to analyze the shellcode injected by the Dridex DLL, you will notice that if you set a break point, all the windows will be frozen. And if you are using at the same time IDA to create an IDB could be very annoying.

The way to solve this, is creating other instance of the original explorer.exe. This could sound of common sense, but you have to know how the trick works :P.

  1. Copy explorer.exe from C:\Windows\explorer.exe to the Desktop.
  2. Now if you execute explorer.exe you will notice that there is only one explorer.exe in execution (This not works)
  3. Change the name of the explorer.exe from the desktop, example "aaaa.exe" and execute it, as you can see, now you have two explorer.exe instances in execution (the name "aaaa.exe" will be changed to "explorer.exe")
  4. Now we have two instances of explorer.exe but we want that the Dridex DLL only performs the injection routine into the new explorer.exe, to achive this we have to the next:
  5. We have to open the malicious Dridex DLL with x64dbg (set a bp in "NtQueueAPCThread"), then we have to attach our x64dbg to the new explorer.exe created and set a break point into "GlobalAtomGetAtomNameW".
  6. Then, using the task manager, we have to close the first explorer.exe and run the x64dbg with Dridex DLL until "NtQueueAPCThread".
  7. At this point, Dridex will be inject the shellcode in our explorer.exe.
  8. Now we want to recover our pretty desktop, to perform that, you have to open the task manager, launch a cmd and run explorer.exe. You will notice that you can navigate among all the windows, set bp into explorer.exe without froze all the desktop and complete your IDB in IDA Pro without any problem.
  9. Run Dridex Dll x64dbg and start you analysis!

AtomBombing will be used in the future by other malware developers?

In our opinion, this injection method is very useful and difficult to hunt if you do not understand how AtomBombing works, because Atoms are Windows Executive Objects and there are few tools able to capture their changes in a comfortable way.

Moreover the method that Dridex uses do not perform any ROP like the original POC, in this case it modifies the original function "GlobalAtomGetAtomNameA" to launch the shellcode, making the implementation process easier but less stealthy.

Yara Rule

rule Dridex : banker
{
    meta:
      author = "51ddh4r7h4 & D00RT"
      date = "2017/08/01"
      description = "Dridex V4"
      reference/source = "http://reversingminds-blog.logdown.com"
      sample = "c19a33ec0125d579c4ab695363df49f7"
      in_the_wild = true

    strings:
        $a = {48 83 EC 18 B8 41 45 38 09 C7 44 24 10 E1 28 71 01 8B 54 24 10 29 D0 89 44 24 0C 81 7C 24 0C 57 E4 75 2A 89 4C 24
              08 89 54 24 04 75 00 8B 44 24 08 89 04 24 8B 0C 24 65 67 48 8B 11 44 8B 44 24 04 41 81 C0 B4 AE 33 78 44 89 44 24
              14 48 89 D0 48 83 C4 18 C3 66 66 2E 0F 1F 84 00 00 00 00 00 48 83 EC 38 48 C7 44 24 30 70 D1 E6 75 48 8B 44 24 30
              48 35 21 50 E2 06 48 3D 48 39 05 15 72 0F B9 30 00 00 00 48 83 C4 38 48 E9 71 FF FF FF B9 76 A0 92 6C E8 67 FF FF
              FF 31 C9 89 CA 48 89 44 24 28 48 89 D0 48 83 C4 38 C3 66 0F 1F 44 00 00 48 83 EC 38 C7 44 24 34 85 1B 96 21 8B 44
              24 34 89 44 24 2C E8 97 FF FF FF 8B 4C 24 2C 81 E1 E0 CA 13 57 89 4C 24 30 8B 4C 24 2C 81 F9 7A 6B 6F 57 48 89 44
              24 20 75 00 8B 44 24 2C 35 55 36 B4 45 89 44 24 30 48 8B 4C 24 20 48 8B 41 60 48 83 C4 38 C3 66 66 66 66 2E 0F 1F
              84 00 00 00 00 00 48 83 EC 40 44 88 C8 41 B9 DC 96 50 30 45 89 CA 48 C7 44 24 28 5A 5B 6C 45 44 8B 4C 24 3C 41 81
              C1 AC 6F 55 46 44 89 4C 24 3C 4C 8B 5C 24 28 48 89 4C 24 10 4C 89 D9 49 D3 E2 4C 89 54 24 20 49 81 FB D2 F4 A4 6B
              48 89 54 24 08 88 44 24 07 44 89 04 24 77 33 B8 3B 48 13 64 C7 44 24 18 6E 8B 6E 1D 8B 0C 24 89 CA 41 89 D0 4C 89
              44 24 30 4C 8B 44 24 30 4C 8B 4C 24 08 47 8A 14 01 44 88 54 24 1F 3B 44 24 18 75 00 48 8B 44 24 30 8A 4C 24 1F 8A
              54 24 07 28 D1 4C 8B 44 24 10 41 88 0C 00 48 83 C4 40 C3 66 66 2E 0F 1F 84}

    condition:
        $a 
}

Summary

Authors: @51ddh4r7h4, @D00RT

← Can be a "legitimate" program an APT? Fileless Code Injection in Word without macros (CVE-2017-11882) →