Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Popular Banking Trojans Share Loaders

Several well-known banking Trojans that have been around for several years have shared loaders, Trend Micro security researchers have discovered. 

Several well-known banking Trojans that have been around for several years have shared loaders, Trend Micro security researchers have discovered. 

Analysis shows payload decryption procedures and loaders’ internal data structure is similar for Emotet, Ursnif, Dridex and BitPaymer, the researchers claim. 

Emotet, which was discovered in 2014, has delivered various payloads to its victims, including Gootkit, ZeusPanda, IcedID, TrickBot, and Dridex. 

Previous research has already shown similarities in the obfuscation techniques used by both Emotet and Ursnif/Gozi-ISFB, a banking Trojan considered one of the top global threats and which had its source code leaked several years ago. 

Dridex has been another highly active Trojan targeting both banks and financial institutions, notorious for the various methods and techniques used to steal personal information and credentials. 

Unlike the three, BitPaymer is an encrypting Trojan, or ransomware, mainly used in attacks against medical institutions and relying on remote desktop protocol and email-related techniques for distribution. 

BitPaymer is operated by the same group distributing Dridex and which was also behind the infamous Locky ransomware.

Trend Micro’s analysis revealed that, despite small differences in the arithmetic operations’ instructions of disassembled PE packers, “the four payload decryption procedures were identical in data structures’ overview on the way they decrypted the actual PE payloads.”

Additionally, the researchers discovered that the internal data structure of the four malware families was identical. 

“As cybercrime organizational structures in some countries tend to compartmentalize work, we suspect that the four malware families’ gangs might be in contact with the same weapon providers for PE loaders,” Trend Micro says. 

The security researchers also note that the four cybercrime groups may have established some attributional – working or otherwise – relationships and that they might have exchanged resources among them, or continue to do so.

The researchers note that the cybercriminals behind Emotet are those who might have been sharing code to collaborate with trusted, highly-skilled cybercriminal groups. They also believe that the four groups are engaged into an ongoing relationship.

“Alliances like these could lead to more destructive malware deployments in the future. More than ever, it is important for organizations to heighten cybersecurity preventive measures, such as establishing policies and procedures for handling security threats,” Trend Micro says. 

Related: Dridex/Locky Operators Unleash New Malware in Recent Attack

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Fortinet warned of three malicious PyPI packages containing code that fetches the Wacatac trojan and information stealer.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...