A variant of the infamous Dridex banking trojan has appeared in the guise of ransomware in recent months, the Slovakian security firm ESET says, with the new malware focusing on higher-profile targets rather than end-users.
In a blog post, ESET security researcher Michael Poslušný said that the new trojan, christened FriedEx (aka BitPaymer because of the text in the ransom) shared many similarities in its code with Dridex.
FriedEx was initially discovered in July 2017 by a security researcher known as Michael Gillespie. It gained prominence the following month when it infected a number of NHS hospitals in Scotland.
Poslušný said FriedEx was typically delivered by a brute force attack using the Windows Remote Desktop Protocol.
{loadposition sam08}"In December 2017, we took a closer look at one of the FriedEx samples and almost instantly noticed the resemblance of the code to Dridex," he said.
"Intrigued by the initial findings, we dug deep into the FriedEx samples, and found out that FriedEx uses the same techniques as Dridex to hide as much information about its behaviour as possible."
Poslušný said FriedEx resolved all system API calls on the fly by searching for them by hash, stored all strings in encrypted form, and looked up registry keys and values by hash.
"The resulting binary is very low profile in terms of static features and it’s very hard to tell what the malware is doing without a deeper analysis," he noted.
Given the way the authors of Dridex had evolved their creation,Poslušný said it was logical to assume that they would not be going away any time soon.
"We can see that the group continues to be active and not only consistently updates their banking trojan to maintain its webinject support for the latest versions of Chrome and to introduce new features like Atom Bombing, but that it also follows the latest malware 'trends', creating their own ransomware," he said.