From some time now, I’ve been observing a change in the way that the PWS-Banker variants are being created. McAfee Avert Labs used to see PWS-Bankers which targeted multiple Banks, mostly South-American banks. The new common schema used by criminals consists of 4 different parts.

1) A PWS-Banker-downloader which downloads an information file from one site (Site A). This file has urls from which it will download the bankers.

2) The PWS-Banker-downloader will then follow the urls and try to download same target files from different sites (B and C) for redundancy purposes.

3) The file downloaded can be either the PWS-Banker itself or a new PWS-Banker-downloader which will then download a PWS-Banker-dropper from yet another site (D).

4) The last file can also be a PWS-Banker.dr which is a dropper with about 12 different banks, each one with specific PWS-Banker.

The sketch bellow (taken from my cellular camera) can help readers to better understand: