[About TrendLabs Security Intelligence Blog](https://blog.trendmicro.com/trendlabs-security-intelligence/about-us/) Search: Go to… [Home](http://blog.trendmicro.com/trendlabs-security-intelligence/) Categories [Home » Botnets » URSNIF, EMOTET, DRIDEX and BitPaymer Gangs Linked by a Similar Loader](https://blog.trendmicro.com/trendlabs-security-intelligence/) # URSNIF, EMOTET, DRIDEX and BitPaymer Gangs Linked by a Similar Loader [Posted on:December 18, 2018 at 4:51 am](https://blog.trendmicro.com/trendlabs-security-intelligence/2018/12/) [Posted in:Botnets,](https://blog.trendmicro.com/trendlabs-security-intelligence/category/botnets/) [Malware](https://blog.trendmicro.com/trendlabs-security-intelligence/category/malware/) Author: [Trend Micro](https://blog.trendmicro.com/trendlabs-security-intelligence/author/trend-micro/) 0 As ransomware and [banking trojans captured the interest – and profits – of the world with their destructive routines, cybersecurity practitioners have](https://blog.trendmicro.com/trendlabs-security-intelligence/windows-security-feature-abused-blocks-security-software/) repeatedly [published](https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/evolution-of-cybercrime) [online and](https://www.recordedfuture.com/russian-chinese-hacking-communities/) [offline how](https://industryofanonymity.com/) [cybercriminals have compartmentalized their schemes through exchange of information and banded professional](https://blog.trendmicro.com/cybercriminal-undergrounds-social-and-economic-philosophies/) organizations. As a more concrete proof of the way these symbiotic relationships and work flows intersect, we discovered a connection between [EMOTET,](https://blog.trendmicro.com/trendlabs-security-intelligence/exploring-emotet-examining-emotets-activities-infrastructure/) [URSNIF, DRIDEX and](https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-the-multifaceted-malware/) [BitPaymer from open source information and the loaders of the samples we had, functioning as if tasks were divided among different](https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom_bitpaymer.a) developers and operators. Go to… ----- _Figure 1. Connections of EMOTET, DRIDEX, URSNIF and BitPaymer._ **_Background and details_** In order to have a better understanding of the significance of these connections, here’s a summarized background of each malware family: URSNIF / [GOZI-ISFB](https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/gozi) Still considered as one of the global top threats, this banking trojan’s source code was among those [repeatedly leaked because of its evolution and](https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/online-banking-trojan-brief-history-of-notable-online-banking-trojans) notoriety for adaptive behaviors. This spyware monitors traffic, features a keylogger, and steals credentials stored in browsers and applications. The malware creators of GOZI admitted to its creation and distribution, and was [sentenced in 2015 and 2016.](https://www.justice.gov/usao-sdny/pr/nikita-kuzmin-creator-gozi-virus-sentenced-manhattan-federal-court) DRIDEX Another banking trojan that [targets banking and financial institutions, the cybercriminals behind it use various methods and techniques to steal personal](https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/3147/dealing-with-the-mess-of-dridex) information and credentials through malicious attachments and HTML injections. DRIDEX evolved from [CRIDEX, GameOver Zeus and](https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/cridex) [ZBOT, and](https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/16/the-zeus-zbot-and-kneber-connection) proved to be resilient even after it was momentarily taken down in 2015 through [a partnership with the FBI.](https://blog.trendmicro.com/trendlabs-security-intelligence/us-law-enforcement-takedown-dridex-botnet/) EMOTET Discovered by [Trend Micro in 2014, this malware acts as a loader for payloads such as](https://blog.trendmicro.com/trendlabs-security-intelligence/new-banking-malware-uses-network-sniffing-for-data-theft/) [Gootkit, ZeusPanda, IcedID, TrickBot, and DRIDEX for critical](https://blog.trendmicro.com/trendlabs-security-intelligence/fake-judicial-spam-leads-to-backdoor-with-fake-certificate-authority/) attacks. Other publications have also [mentioned observing obfuscation techniques between EMOTET and URSNIF/GOZI-ISFB.](https://www.hurricanelabs.com/blog/the-emotet-trojan-a-tale-of-two-malware-samples) BitPaymer This ransomware was used to [target medical institutions via remote desktop protocol and other email-related techniques, momentarily shutting down routine](https://www.bleepingcomputer.com/news/security/bit-paymer-ransomware-hits-scottish-hospitals/) services for a high ransom. Security [researchers later published evidence that not only was](https://mauronz.github.io/deobf-bitpaymer/) [DRIDEX dropping BitPaymer, but that it also came from the](https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/) same cybercriminal group. During our analysis, we found evidence that the malware families identified had shared loaders: the overview of the payload decryption procedure, and the loaders’ internal data structure. While the first figure of the disassembled PE packers had small differences in their arithmetic operations’ instructions, we found that the four payload decryption procedures were identical in data structures’ overview on the way they decrypted the actual PE payloads. ----- _Figure 2. Overview of identical structures of payloads’ loader decryption procedures._ Further analysis also revealed that the internal data structure of the four malware families were the same. We compared the disassembled codes from the samples we had and noticed the encrypted payload address and size placed into the decryption procedure located at offset 0x34 and 0x38. _Figure 3. Identical data structures show similar payload addresses and sizes._ ----- _Figure 4. Data structure used by the shared loader._ As cybercrime organizational structures in some countries tend to compartmentalize work, we suspect that the four malware families’ gangs might be in contact with the same weapon providers for PE loaders. In addition, it’s also possible that these four cybercrime groups may establish some attributional – working or otherwise – relationships and have exchanged or continue to exchange resources. [In our history of monitoring botnets and the underground organizations who make and/or use them, the cybercriminals behind](https://blog.trendmicro.com/trendlabs-security-intelligence/exploring-emotet-examining-emotets-activities-infrastructure/) EMOTET may be sharing to collaborate with trusted, highly-skilled cybercriminal groups, and may be a sign of these four groups’ ongoing and intriguing relationship. Alliances like these could lead to more destructive malware deployments in the future. More than ever, it is important for organizations to heighten cybersecurity preventive measures, such as establishing policies and procedures for handling security threats. Regular education awareness sessions and reminders for employees can help protect the enterprise from attacks and intrusions from malicious emails and URLs. Installing and updating a multi-layered protection and solution in preventing online banking threats can go a long way in securing businesses. **_Trend Micro Solutions_** Trend Micro endpoint solutions such as the [Smart Protection Suites and](http://www.trendmicro.com/us/business/complete-user-protection/index.html) [Worry-Free Business Security solutions can protect users and businesses from threats](http://www.trendmicro.com/us/small-business/product-security/?_ga=2.84377822.674697187.1538446194-533054814.1523611328) by detecting malicious files and messages as well as blocking all related malicious URLs. [Trend Micro™ Deep Discovery™ has an email inspection layer that](http://www.trendmicro.com/us/enterprise/security-risk-management/deep-discovery/) can protect enterprises by detecting malicious attachments and URLs. Trend Micro [XGen™ security provides a cross-generational blend of threat defense techniques to protect systems from all types of threats, including](https://www.trendmicro.com/en_us/business/products/all-solutions.html) ransomware and cryptocurrency-mining malware. It features high-fidelity [machine learning on gateways and](https://www.trendmicro.com/vinfo/us/security/definition/machine-learning) [endpoints, and protects physical, virtual, and](http://www.trendmicro.com/us/enterprise/product-security/vulnerability-protection/) cloud workloads. With capabilities like web/URL filtering, behavioral analysis, and custom sandboxing, XGen security can secure systems against modern threats that bypass traditional controls; exploit known, unknown, or undisclosed vulnerabilities; either steal or encrypt personally identifiable data; or conduct malicious cryptocurrency mining. Smart, optimized, and connected, XGen security powers Trend Micro’s suite. **_Indicators of Compromise_** **Malware** **SHA256** URSNIF 9d38a0220b2dfb353fc34d03079f2ba2c7de1d4a234f6a2b06365bfc1870cd89 DRIDEX cbd130b4b714c9bb0a62e45b2e07f3ab20a6db3abd1899aa3ec21f402d25779e EMOTET 0a47f5b274e803754ce84ebd66599eb35795fb851f55062ff042e73e2b9d5763 BitPaymer d693c33dd550529f3634e3c7e53d82df70c9d4fbd0c339dbc1849ada9e539ea2 ## Related Posts: **[Exploring Emotet: Examining Emotet’s Activities, Infrastructure](https://blog.trendmicro.com/trendlabs-security-intelligence/exploring-emotet-examining-emotets-activities-infrastructure/)** **[Monero-Mining RETADUP Worm Goes Polymorphic, Gets an AutoHotKey Variant](https://blog.trendmicro.com/trendlabs-security-intelligence/monero-mining-retadup-worm-goes-polymorphic-gets-an-autohotkey-variant/)** ----- Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware: [ENTERPRISE](http://www.trendmicro.com/us/security-intelligence/enterprise-ransomware/index.html) » [SMALL BUSINESS](http://www.trendmicro.com/us/security-intelligence/small-business-ransomware/index.html) » [HOME](http://www.trendmicro.com/us/home/consumer-ransomware/index.html) » Tags: [BitPaymerDRIDEXEMOTETURSNIF](https://blog.trendmicro.com/trendlabs-security-intelligence/tag/bitpaymer/) **1 Comment** **[TrendLabs](https://disqus.com/home/forums/trendlabs/)** [1](https://disqus.com/home/inbox/) **Login**  Recommend t Tweet f Share **Sort by Best** ### Join the discussion… **LOG IN WITH** **OR SIGN UP WITH DISQUS** Name **ali amair** - [a day ago](https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/#comment-4247679388) Can we also have SHA1 for these files as currently we dont have option in TMCM to add SHA256 under "User define objects" - - Reply • Share › ✉ **Subscribe** d **[Add Disqus to your siteAdd DisqusAdd](https://publishers.disqus.com/engage?utm_source=trendlabs&utm_medium=Disqus-Footer)** � **[Disqus' Privacy PolicyPrivacy PolicyPrivacy](https://disqus.com/)** ## Featured Stories [systemd Vulnerability Leads to Denial of Service on Linux](https://blog.trendmicro.com/trendlabs-security-intelligence/systemd-vulnerability-leads-to-denial-of-service-on-linux/) [qkG Filecoder: Self-Replicating, Document-Encrypting Ransomware](https://blog.trendmicro.com/trendlabs-security-intelligence/qkg-filecoder-self-replicating-document-encrypting-ransomware/) [Mitigating CVE-2017-5689, an Intel Management Engine Vulnerability](https://blog.trendmicro.com/trendlabs-security-intelligence/mitigating-cve-2017-5689-intel-management-engine-vulnerability/) [A Closer Look at North Korea’s Internet](https://blog.trendmicro.com/trendlabs-security-intelligence/a-closer-look-at-north-koreas-internet/) [From Cybercrime to Cyberpropaganda](https://blog.trendmicro.com/trendlabs-security-intelligence/from-cybercrime-to-cyberpropaganda/) ## Security Predictions for 2019 Our security predictions for 2019 are based on our experts’ analysis of the progress of current and emerging technologies, user behavior, and market trends, and their impact on the threat landscape. We have categorized them according to the main areas that are likely to be affected, given the sprawling nature of the technological and sociopolitical changes under consideration. [Read our security predictions for 2019.](https://www.trendmicro.com/vinfo/us/security/research-and-analysis/predictions/2019) ## Business Process Compromise Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, [read our Security 101: Business Process Compromise.](https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/security-101-business-process-compromise) ## Recent Posts [Android Wallpaper Apps Found Running Ad Fraud Scheme](https://blog.trendmicro.com/trendlabs-security-intelligence/android-wallpaper-apps-found-running-ad-fraud-scheme/) [URSNIF, EMOTET, DRIDEX and BitPaymer Gangs Linked by a Similar Loader](https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/) [Cybercriminals Use Malicious Memes that Communicate with Malware](https://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-use-malicious-memes-that-communicate-with-malware/) [Tildeb: Analyzing the 18-year-old Implant from the Shadow Brokers’ Leak](https://blog.trendmicro.com/trendlabs-security-intelligence/tildeb-analyzing-the-18-year-old-implant-from-the-shadow-brokers-leak/) [Cryptocurrency Miner Spreads via Old Vulnerabilities on Elasticsearch](https://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-miner-spreads-via-old-vulnerabilities-on-elasticsearch/) ## Popular Posts [December Patch Tuesday: Year-End Batch Addresses Win32k Elevation of Privilege and Windows DNS Server Vulnerabilities](https://blog.trendmicro.com/trendlabs-security-intelligence/december-patch-tuesday-year-end-batch-addresses-win32k-elevation-of-privilege-and-windows-dns-server-vulnerabilities/) [Fake Banking App Found on Google Play Used in SMiShing Scheme](https://blog.trendmicro.com/trendlabs-security-intelligence/fake-banking-app-found-on-google-play-used-in-smishing-scheme/) ----- ## Stay Updated Email Subscription Your email here [Home and Home Office](http://www.trendmicro.com/us/home/index.html) | [For Business](http://www.trendmicro.com/us/business/index.html) | [Security Intelligence](http://www.trendmicro.com/us/security-intelligence/index.html) | [About Trend Micro](http://www.trendmicro.com/us/about-us/index.html) [Asia Pacific Region (APAC): Australia /](http://www.trendmicro.com.au/au/home/index.html) [New Zealand, 中国, 日本, 대한민국, 台灣](http://www.trendmicro.co.nz/nz/home/index.html) Latin America Region (LAR): [Brasil, México](http://br.trendmicro.com/br/home/index.html) North America Region (NABU): [United States, Canada](http://www.trendmicro.com/us/index.html) Europe, Middle East, & Africa Region (EMEA): [France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland](http://www.trendmicro.fr/) [Privacy Statement](http://www.trendmicro.com/us/about-us/legal-policies/privacy-statement/index.html) [Legal Policies](http://www.trendmicro.com/us/about-us/legal-policies/index.html) Copyright © 2018 Trend Micro Incorporated. All rights reserved. Your email here Subscribe -----