{
	"id": "609b5ad2-9790-40ad-9bfb-b82639f2b65e",
	"created_at": "2026-04-06T00:12:12.808486Z",
	"updated_at": "2026-04-10T03:23:51.511476Z",
	"deleted_at": null,
	"sha1_hash": "3c950811f5a3bb720abd0592f776d52a75890aa9",
	"title": "URSNIF, EMOTET, DRIDEX and BitPayme Linked by Loader",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 78271,
	"plain_text": "URSNIF, EMOTET, DRIDEX and BitPayme Linked by Loader\r\nBy By: Trend Micro Research Dec 18, 2018 Read time: 3 min (827 words)\r\nPublished: 2018-12-18 · Archived: 2026-04-05 13:27:36 UTC\r\nAs ransomware and banking trojans captured the interest – and profits – of the world with their destructive\r\nroutines, cybersecurity practitioners have repeatedly publishednews- cybercrime-and-digital-threats onlineopen on\r\na new tab and offline how cybercriminals have compartmentalized their schemes through exchange of information\r\nand banded professional organizations. As a more concrete proof of the way these symbiotic relationships and\r\nwork flows intersect, we discovered a connection between EMOTET, URSNIF, DRIDEX and BitPaymer from\r\nopen source information and the loaders of the samples we had, functioning as if tasks were divided among\r\ndifferent developers and operators.\r\nintel\r\nFigure 1. Connections of EMOTET, DRIDEX, URSNIF and BitPaymer.\r\nBackground and details\r\nIn order to have a better understanding of the significance of these connections, here’s a summarized background\r\nof each malware family:\r\nURSNIF / GOZI-ISFB\r\nStill considered as one of the global top threats, this banking trojan’s source code was among those repeatedly\r\nleakednews- cybercrime-and-digital-threats because of its evolution and notoriety for adaptive behaviors. This\r\nspyware monitors traffic, features a keylogger, and steals credentials stored in browsers and applications. The\r\nmalware creators of GOZI admitted to its creation and distribution, and was sentenced in 2015 and 2016open on a\r\nnew tab.\r\nDRIDEX\r\nAnother banking trojan that targets banking and financial institutions, the cybercriminals behind it use various\r\nmethods and techniques to steal personal information and credentials through malicious attachments and HTML\r\ninjections. DRIDEX evolved from CRIDEX, GameOver Zeus and ZBOT, and proved to be resilient even after it\r\nwas momentarily taken down in 2015 through a partnership with the FBI.\r\nEMOTET\r\nDiscovered by Trend Micro in 2014, this malware acts as a loader for payloads such as Gootkit, ZeusPanda,\r\nIcedID, TrickBot, and DRIDEX for critical attacks. Other publications have also mentioned observing obfuscation\r\ntechniques between EMOTET and URSNIF/GOZI-ISFB.\r\nBitPaymer\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/\r\nPage 1 of 3\n\nThis ransomware was used to target medical institutionsopen on a new tab via remote desktop protocol and other\r\nemail-related techniques, momentarily shutting down routine services for a high ransom. Security researchersopen\r\non a new tab later published evidence that not only was DRIDEX dropping BitPaymeropen on a new tab, but that\r\nit also came from the same cybercriminal groupopen on a new tab.\r\nDuring our analysis, we found evidence that the malware families identified had shared loaders: the overview of\r\nthe payload decryption procedure, and the loaders’ internal data structure. While the first figure of the\r\ndisassembled PE packers had small differences in their arithmetic operations’ instructions, we found that the four\r\npayload decryption procedures were identical in data structures’ overview on the way they decrypted the actual PE\r\npayloads.\r\nintel\r\nFigure 2. Overview of identical structures of payloads’ loader decryption procedures.\r\nFurther analysis also revealed that the internal data structure of the four malware families were the same. We\r\ncompared the disassembled codes from the samples we had and noticed the encrypted payload address and size\r\nplaced into the decryption procedure located at offset 0x34 and 0x38.\r\nintel\r\nFigure 3. Identical data structures show similar payload addresses and sizes.\r\nintel\r\nFigure 4. Data structure used by the shared loader.\r\nAs cybercrime organizational structures in some countries tend to compartmentalize work, we suspect that the\r\nfour malware families’ gangs might be in contact with the same weapon providers for PE loaders. In addition, it’s\r\nalso possible that these four cybercrime groups may establish some attributional – working or otherwise –\r\nrelationships and have exchanged or continue to exchange resources.\r\nIn our history of monitoring botnets and the underground organizations who make and/or use them, the\r\ncybercriminals behind EMOTET may be sharing to collaborate with trusted, highly-skilled cybercriminal groups,\r\nand may be a sign of these four groups’ ongoing and intriguing relationship.\r\nAlliances like these could lead to more destructive malware deployments in the future. More than ever, it is\r\nimportant for organizations to heighten cybersecurity preventive measures, such as establishing policies and\r\nprocedures for handling security threats. Regular education awareness sessions and reminders for employees can\r\nhelp protect the enterprise from attacks and intrusions from malicious emails and URLs. Installing and updating a\r\nmulti-layered protection and solution in preventing online banking threats can go a long way in securing\r\nbusinesses.\r\nTrend Micro Solutions\r\nTrend Micro endpoint solutions such as the Smart Protection Suitesproducts and Worry-Free Business\r\nSecurity solutions can protect users and businesses from threats by detecting malicious files and messages as well\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/\r\nPage 2 of 3\n\nas blocking all related malicious URLs. Trend Micro™ Deep Discovery™products has an email inspection layer\r\nthat can protect enterprises by detecting malicious attachments and URLs.\r\nTrend Micro XGen™ security provides a cross-generational blend of threat defense techniques to protect systems\r\nfrom all types of threats, including ransomware and cryptocurrency-mining malware. It features high-fidelity machine learning on gateways and endpoints, and protects physical, virtual, and cloud workloads. With\r\ncapabilities like web/URL filtering, behavioral analysis, and custom sandboxing, XGen security can secure\r\nsystems against modern threats that bypass traditional controls; exploit known, unknown, or undisclosed\r\nvulnerabilities; either steal or encrypt personally identifiable data; or conduct malicious cryptocurrency mining.\r\nSmart, optimized, and connected, XGen security powers Trend Micro’s suite.\r\nIndicators of Compromise\r\nMalware SHA256\r\nURSNIF 9d38a0220b2dfb353fc34d03079f2ba2c7de1d4a234f6a2b06365bfc1870cd89\r\nDRIDEX cbd130b4b714c9bb0a62e45b2e07f3ab20a6db3abd1899aa3ec21f402d25779e\r\nEMOTET 0a47f5b274e803754ce84ebd66599eb35795fb851f55062ff042e73e2b9d5763\r\nBitPaymer d693c33dd550529f3634e3c7e53d82df70c9d4fbd0c339dbc1849ada9e539ea2\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/"
	],
	"report_names": [
		"ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434332,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3c950811f5a3bb720abd0592f776d52a75890aa9.pdf",
		"text": "https://archive.orkl.eu/3c950811f5a3bb720abd0592f776d52a75890aa9.txt",
		"img": "https://archive.orkl.eu/3c950811f5a3bb720abd0592f776d52a75890aa9.jpg"
	}
}