![]() In this research, we will describe the properties of crypted binaries that hold true across various mutations. This crypter provides multiple layers of protection on its core malware binary. Recently, Emotet’s payload URLs were found to be serving Qbot and were using the same crypter we’re examining in this report. Qbot can allow remote access to a victim’s system, steal information, and upload this stolen information to the attacker’s remote server. Dridex remains active in the wild even after the FBI’s takedown attempt in 2015. Dridex is a banking Trojan that evolved from the Zeus Trojan family. In previous blogs, we analyzed Emotet and one of its delivery campaigns. Emotet has been active for the past four years and it was one of the most prevalent malware families of 2018. One of the reasons that Emotet and Dridex were able to survive for so long can be attributed to their ability to evade detection through the use of a volatile and polymorphic crypter, which wraps its original binary inside to complicate its detection and analysis.Įmotet is modular malware that primarily functions as a downloader or dropper for other banking Trojans. This same crypter was observed in some of the Ursnif and BitPaymer campaigns as well. The Zscaler ThreatLabZ research team recently spotted a common crypter being used in the recent Emotet, Qbot, and Dridex campaigns.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |