Hacking into a network
ESET researchers found that both Dridex and FriedEx use the same program database path iStock

The hackers who created one of the most prolific banking trojans currently active – Dridex – are also responsible for creating the BitPaymer ransomware, also known as FriedEx. Security researchers have been able to uncover evidence that the two malware families not only share similar features but were also created at the same time.

According to security researchers at ESET, Dridex and FriedEx share several similarities in code and evasion techniques. Further analysis of the ransomware led researchers to conclude that the two malware families were developed by the same cybercriminals.

"We found several cases of Dridex and FriedEx with the same date of compilation. This could, of course, be coincidence, but after a closer look, we quickly ruled out the 'just a coincidence' theory," ESET malware researcher Michal Poslusny said in a blog post.

"Not only do the compilations with the same date have time differences of several minutes at most (which implies Dridex guys probably compile both projects concurrently), but the randomly generated constants are also identical in these samples. These constants change with each compilation as a form of polymorphism, to make the analysis harder and to help avoid detection."

Researchers also found that both Dridex and FriedEx use the same malware packer. However, the packer is now fairly popular and is also used by other malware families, including Qbot, Ursnif and Emotet.

ESET researchers also found that both Dridex and FriedEx use the same program database (PDB) path.

FriedEx ransomware made headlines last year, after infecting NHS hospitals in Scottland. The ransomware, which was discovered in 2017, focuses on high-profile targets and is usually delivered via an RDP brute force attack.

Meanwhile, Dridex was discovered in 2014 and has cost banks across the globe hundreds of millions of dollars. The banking malware has been upgraded by its creators several times, most recently, to also perform a code injection technique called AtomBombing. However, the malware's creators were not happy with just honing Dridex and also created a sophisticated ransomware, likely to expand their operations.

"With all this evidence, we confidently claim that FriedEx is indeed the work of the Dridex developers. This discovery gives us a better picture of the group's activities," Poslusny said. "We can only guess what the future will bring, but we can be sure that the Dridex gang isn't going anywhere anytime soon and that they will keep innovating their old project and possibly extend their portfolio with a new piece here and there.

"For a long time, it was believed that the Dridex gang was a one-trick pony that kept their focus on their banking Trojan. We have now found that this is not the case and that they can easily adapt to the newest trends and create a different kind of malware that can compete with the most advanced in its category."