Popular Banking Trojans Share Loaders

[silversurfer]

Several well-known banking Trojans that have been around for several years have shared loaders, Trend Micro security researchers have discovered.

Analysis shows payload decryption procedures and loaders’ internal data structure is similar for Emotet, Ursnif, Dridex and BitPaymer, the researchers claim.

Trend Micro’s analysis revealed that, despite small differences in the arithmetic operations’ instructions of disassembled PE packers, “the four payload decryption procedures were identical in data structures’ overview on the way they decrypted the actual PE payloads.”

Additionally, the researchers discovered that the internal data structure of the four malware families was identical.

“As cybercrime organizational structures in some countries tend to compartmentalize work, we suspect that the four malware families’ gangs might be in contact with the same weapon providers for PE loaders,” Trend Micro says.

Source: https://www.securityweek.com/popular-ban...re-loaders