A new version of the Ursnif malware, stripped of its specific banking trojan functionality to revamp itself into a generic backdoor.
A new version of the Ursnif malware, stripped of its specific banking trojan functionality to revamp itself into a generic backdoor.
This change indicates that the operator of the new version might change their focus and use the malware to distribute Ransomware.
The new variant, "LDR4", was spotted on June 23 2022. The researchers at the incident response company Mandiant added that they believe "the same threat actors who operated the RM3 variant are behind the LDR4 variant".
The LDR4 variant delivers fake job offers to the client's email address. The email address contains a link to a website that impersonates a legitimate company. The same malware previously used this standard method.
Once the malicious sites are visited, they are required to solve a CAPTCHA challenge to download an excel file. The file contains macro code that fetches the malware payload from a remote resource into the victims' system.
Ursnif variant ( a.k.a. Gozi) comes in the form of a DLL called "loader.dll", and it contains portable executable crypters and is signed with valid certificates, making it more accessible from being caught by systems security tools.
Security researchers observed that all banking features were removed from the new Ursnif variant, and its code has also been cleaned and simplified.
On executing Ursnif, it generates a user and system ID by retrieving information about system services from the Windows registry. Then it uses the RSA key available in the configuration file to connect it to the command & control server. Next, it locates a list of commands to run on the host.
The commands supported by LDR4 variants are:
- Load a DLL module into the current process.
- Retrieve the state of the cmd.exe reverse shell
- Start the cmd.exe reverse shell
- Stop the cmd.exe reverse shell
- Restart the cmd.exe reverse shell
- Run an arbitrary command
- Terminate
Only some features are new; implemented few in previous Ursnif versions. The built-in command shell system employs a remote IP address to establish a reverse shell isn't new. Now it is embedded into the malware binary instead of using an additional module as in previous variants.
The plugin system was eliminated, as the command to load a DDL module into the current process can extend the malware capabilities as needed.
Another update seen by security researchers is the virtual network computing(VNC) module which gives LDR4 the ability to perform “hands-on” attacks on the system it breaches.
New Ursnif operators have improved the code to do more specific tasks, and an initial compromise tool shifts their focus towards other malware. It is identified that the underground hacker community and threat actors are looking for partners to distribute Ransomware and the RM3 version of Ursnif.
Ursnif first started the campaign as a backdoor and then evolved into a particular banking trojan. It is similar to the known Emotet, Qakbot, and Trickbot malware.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?