Developers of the Trojan Dridex are now working on a piece of ransomware called FriedEx, researchers said.
The ransomware, also known as BitPaymer, has quite a few similarities to the well-known banking Trojan, said researchers at ESET.
Through a deep analysis, the researchers found:
• The two versions of malware use the same function for generating UserID
• Other functions corresponding to the specific malware functionalities are the same and are listed in the same order in the binaries
• The two threats use the same malware packer
• The PDB (Program Database) paths included in the analyzed malware binaries are the same
• Several Dridex and FriedEx samples have the same date of compilation and consistent randomly generated constants
• Malware binaries of both threats are compiled in Visual Studio 2015
“With all this evidence, we confidently claim that FriedEx is indeed the work of the Dridex developers,” researchers said in a post.
The developers are consistently updating the banking malware, but also follow the latest malware trends and participate in them.
Researchers first found FriedEx in July last year. The ransomware focuses on higher profile targets, and is usually delivered via an RDP brute force attack.
The ransomware encrypts each file with a randomly generated RC4 key, which is then encrypted using the hardcoded 1024-bit RSA public key and saved in the corresponding .readme_txt file.
On the other hand, Dridex first appeared in 2014.
“For a long time, it was believed that the Dridex gang was a one-trick pony that kept their focus on their banking Trojan,” ESET researchers said. “We have now found that this is not the case and that they can easily adapt to the newest trends and create a different kind of malware that can compete with the most advanced in its category.”