The Ursnif malware has been completely revamped in a new variant that researchers believe has been built to enable ransomware or data theft extortion operations.
Ursnif, also known as Gozi, is one of the most widely spread banking trojans, with the capabilities to record keystrokes, exfiltrate data and keep tabs on network and browser activity. After the malware’s source code was leaked years ago, a number of malware variants emerged, including DreamBot, IAP, RM2 and the most sophisticated variant to date, RM3. But in June, researchers with Mandiant found a new variant of the malware that they said “marks an important milestone for the tool.” The new variant, LDR4, sheds Ursnif’s banking trojan functionalities and instead serves as a generic backdoor, with heavy simplifications to its code, which is solely focused on getting a remote shell into compromised machines.
“This is a significant shift from the malware’s original purpose to enable banking fraud, but is consistent with the broader threat landscape,” said Sandor Nemes, Sulian Lebegue and Jessa Valdez, researchers with Mandiant, in a Wednesday analysis. “Mandiant believes that the same threat actors who operated the RM3 variant of URSNIF are likely behind LDR4. Given the success and sophistication RM3 previously had, LDR4 could be a significantly dangerous variant—capable of distributing ransomware—that should be watched closely.”
The new variant was first seen in malicious emails that had lures related to recruitment or accounting software. The email contained a link to a compromised website, which redirected to a domain that purported to be that of a legitimate company, and presented the target with a CAPTCHA that finally prompted the download of an Excel document. This document downloaded and executed the LDR4 payload.
“These shifts may reflect the threat actors’ increased focus towards participating in or enabling ransomware operations in the future."
LDR4 sheds several features used by previous Ursnif variants, such as the FJ.exe steganography tool used to hide files in a single payload. The newest variant also no longer uses the custom PX executable format that was utilized by the RM3 variant, instead relying on the PE format. Researchers said part of this decision by developers may have been because the PX format is now typically detected by various AV and EDR products.
Also, “we believe this choice was made to avoid overcomplicating the troubleshooting of software issues,” said researchers. “From a developer’s point of view… refocusing into more important pipelines of requested features are crucial for your reputation.”
LDR4 also includes several other tweaks, such as the incorporation of obfuscation (which historically was not utilized by Ursnif) for its Windows API calls; as well as a complete reworking of its configuration storage that includes a new data structure for storing joined files. However, the most obvious change is that the traditional banking features and modules of Ursnif have been totally dropped, said researchers. LDR4's set of commands now include the ability to load DLL modules into the current processes, start and stop cmd.exe reverse shells, run arbitrary commands and terminate processes.
The complete reworking of Ursnif’s latest variant follows in the footsteps of other malware families like Emotet and Trickbot that have shed their banking fraud functionalities and focused on new strategies. The widespread changes in the malware’s TTPs also come on the heels of a decline in the Ursnif’s RM3 variant starting in 2020.
“These shifts may reflect the threat actors’ increased focus towards participating in or enabling ransomware operations in the future,” said Mandiant researchers.