Security Market Segment LS
Monday, 29 January 2018 11:12

From trojan to ransomware, Dridex becomes FriedEx


A variant of the infamous Dridex banking trojan has appeared in the guise of ransomware in recent months, the Slovakian security firm ESET says, with the new malware focusing on higher-profile targets rather than end-users.

In a blog post, ESET security researcher Michael Poslušný said that the new trojan, christened FriedEx (aka BitPaymer because of the text in the ransom) shared many similarities in its code with Dridex.

FriedEx was initially discovered in July 2017 by a security researcher known as Michael Gillespie. It gained prominence the following month when it infected a number of NHS hospitals in Scotland.

Poslušný said FriedEx was typically delivered by a brute force attack using the Windows Remote Desktop Protocol.

"In December 2017, we took a closer look at one of the FriedEx samples and almost instantly noticed the resemblance of the code to Dridex," he said.

"Intrigued by the initial findings, we dug deep into the FriedEx samples, and found out that FriedEx uses the same techniques as Dridex to hide as much information about its behaviour as possible."

Poslušný said FriedEx resolved all system API calls on the fly by searching for them by hash, stored all strings in encrypted form, and looked up registry keys and values by hash.

"The resulting binary is very low profile in terms of static features and it’s very hard to tell what the malware is doing without a deeper analysis," he noted.

Given the way the authors of Dridex had evolved their creation,Poslušný said it was logical to assume that they would not be going away any time soon.

"We can see that the group continues to be active and not only consistently updates their banking trojan to maintain its webinject support for the latest versions of Chrome and to introduce new features like Atom Bombing, but that it also follows the latest malware 'trends', creating their own ransomware," he said.

Nick FitzGerald, senior research fellow at ESET, said: "We have very limited detection data for this threat, as it seems that it is mainly installed through RDP compromise (Remote Desktop Protocol – the native Windows remote control/remote assistance program).

"What happens in such attacks is that the attackers brute-force account credentials of poorly-protected RDP hosts exposed to the Internet. Such poorly-secured systems tend to be run by less-security-aware folk, so there is a higher chance of gaining access to a privileged account (administrator, domain administrator)."

He said there was also a suggestion that FriedEx was targeted at companies the attackers thought were more likely to be able to pay a bigger ransom than that demanded of the victims of more typical ransomware (ransom demands in the 20-50 bitcoin range have been seen – at current exchange rates of approximtaley US$12,000, that is about a quarter of a million dollars to more than half a million US$).

"Also, once the FriedEx attackers gain access to a computer inside a target network the attackers will try to move laterally, to compromise further computers within the network in attempts to gain higher privileges if the initial point of compromise does not provide access to such an account," FitzGerald said. "Eventually, after possibly compromising many computers, or obtaining domain-wide credentials, they execute the ransomware on multiple computers across the network."

He said in such an attack, once the attacker obtained sufficiently elevated privileges, they could disable security products and take other steps to hamper their detection.

"It is very common in such cases that the attackers disable endpoint and server protection products just before running the ransomware."

Subscribe to ITWIRE UPDATE Newsletter here


The much awaited iTWire Shop is now open to our readers.

Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.

PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.

Products available for any country.

We hope you enjoy and find value in the much anticipated iTWire Shop.



iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.


Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News