Story image

From Dridex to Friedex: Malware creators dabble in ransomware

31 Jan 2018

If the first thing that comes to mind on the topic of banking Trojans is Dridex, prepare to add the word ‘FriedEx’ or ‘BitPaymer’ to the list of related words.

ESET researchers have discovered that the creators of the Dridex banking Trojan are also responsible for FriedEx (also known as BitPaymer), a ransomware that was discovered in mid-2017.

The ransomware goes after high profile targets through a remote desktop protocol (RDP) brute force attack. It encrypts all files with an individual key and then hardcoded through a 1024-bit RSA public key.

ESET senior research fellow Nick FitzGerald explains that although there is limited detection data, attackers are looking for poorly-protected RDP hosts that are exposed to the internet.

“As such poorly-secured systems tend to be run by less-security-aware folk, there is a higher chance of gaining access to a privileged account (administrator, domain administrator),” he says.

Researchers examined one of the FriedEx samples and found similarities between its code and the Dridex code.

FriedEx also uses the same techniques to hide its behaviour, has similar PDB paths, timestamps and compiler information to what Dridex uses.

Dridex was first discovered in 2014. The banking Trojan has continued to evolve, with the latest version (Dridex 4.80) released on December 14 last year.

The Trojan apparently receives weekly updates and fixes.

Because FriedEx is a ransomware, researchers admit it does have some functions not present in Dridex, including the file encryption look and creation of ransom message files.

FitzGerald adds that the large ransom demands, which can be between 20-50 Bitcoins ($US12,000 - $500,000), there is further suggestion that the attackers are targeting those that they think are able to pay the larger ransom demands.

Attackers are also able to gain access to a computer in a network and move laterally to compromise more computers and gain higher privileges. If they grab domain-wide credentials, they can inflict Dridex across many computers on a network, he continues.

"In such an attack, once the attacker obtains sufficiently elevated privileges, they can disable security products and take other steps to hamper their detection. It is very common in such cases that the attackers disable endpoint and server protection products just before running the ransomware.”

 ESET says that the Dridex creators are not a ‘one trick pony’ that remain focused on their Trojan – as evidence reveals they are adapting to trends and creating different malware that is able to compete against the most advanced in its category.

Singapore firm to launch borderless open data sharing platform
Singapore-based Ocean Protocol, a decentralised data exchange that promotes data sharing, has revealed details of what could be the kickstart to a global and borderless data economy.
Huawei picks up accolades for software-defined camera ecosystem
"The company's software defined capabilities enable it to future-proof its camera ecosystem and greatly lower the total cost of ownership (TCO), as its single camera system is applicable to a variety of application use cases."
Aussies too lax about IoT security - McAfee
Aussie consumers are at a loss when it comes to securing the increasing number of connected devices in their homes and are often opting to take no action at all.
Barracuda expands MSP security offerings with RMM acquisition
Managed Workplace delivers an RMM platform with security tools and services, such as site security assessments, Office 365 account management, and integrated third-party antivirus.
Flashpoint: APAC companies must factor geopolitics in cyber strategies
The diverse geopolitical and economic interests of the states in the region play a significant role in driving and shaping cyber threat activity against entities operating in APAC.
Expert offers password tips to aid a stress-free sleep
For many cybersecurity professionals, the worries of the day often crawl into night-time routines - LogMeIn says better password practices can help.
SolarWinds extends database anomaly detection
As organisations continue their transition from purely on-premises operations into both private and public cloud infrastructures, adapting their IT monitoring and management capabilities can pose a significant challenge.
NATO picks BlackBerry's encrypted voice technology to secure calls
The NCI Agency acquires, deploys and defends communication systems for NATO's political decision-makers and command centres