Several well-known banking Trojans that have been around for several years have shared loaders, Trend Micro security researchers have discovered.
Analysis shows payload decryption procedures and loaders’ internal data structure is similar for Emotet, Ursnif, Dridex and BitPaymer, the researchers claim.
Emotet, which was discovered in 2014, has delivered various payloads to its victims, including Gootkit, ZeusPanda, IcedID, TrickBot, and Dridex.
Previous research has already shown similarities in the obfuscation techniques used by both Emotet and Ursnif/Gozi-ISFB, a banking Trojan considered one of the top global threats and which had its source code leaked several years ago.
Dridex has been another highly active Trojan targeting both banks and financial institutions, notorious for the various methods and techniques used to steal personal information and credentials.
Unlike the three, BitPaymer is an encrypting Trojan, or ransomware, mainly used in attacks against medical institutions and relying on remote desktop protocol and email-related techniques for distribution.
BitPaymer is operated by the same group distributing Dridex and which was also behind the infamous Locky ransomware.
Trend Micro’s analysis revealed that, despite small differences in the arithmetic operations’ instructions of disassembled PE packers, “the four payload decryption procedures were identical in data structures’ overview on the way they decrypted the actual PE payloads.”
Additionally, the researchers discovered that the internal data structure of the four malware families was identical.
“As cybercrime organizational structures in some countries tend to compartmentalize work, we suspect that the four malware families’ gangs might be in contact with the same weapon providers for PE loaders,” Trend Micro says.
The security researchers also note that the four cybercrime groups may have established some attributional – working or otherwise – relationships and that they might have exchanged resources among them, or continue to do so.
The researchers note that the cybercriminals behind Emotet are those who might have been sharing code to collaborate with trusted, highly-skilled cybercriminal groups. They also believe that the four groups are engaged into an ongoing relationship.
“Alliances like these could lead to more destructive malware deployments in the future. More than ever, it is important for organizations to heighten cybersecurity preventive measures, such as establishing policies and procedures for handling security threats,” Trend Micro says.
Related: Dridex/Locky Operators Unleash New Malware in Recent Attack
