Jump to content
  • Ursnif malware switches from bank account theft to initial access

    alf9872000

    • 400 views
    • 3 minutes
     Share


    • 400 views
    • 3 minutes

     

    A new version of the Ursnif malware (a.k.a. Gozi) emerged as a generic backdoor, stripped of its typical banking trojan functionality.

     

    This change could indicate that the operators of the new version are focusing on distributing ransomware.

     

    Codenamed “LDR4,” the new variant was spotted on June 23, 2022, by researchers at incident response company Mandiant, who believe that it's being distributed by the same actors that maintained the RM3 version of the malware over the past years.

     

    ursnif-variants(1).png
    Various Ursnif variants appearing over the years (Mandiant)

    New Ursnif campaign

    The Ursnif LDR4 variant is delivered via fake job offer emails containing a link to a website that impersonates a legitimate company.

     

    The tactic of posing as a job recruiters is not new for the Ursnif gang, who has has used this strategy before.

     

    Visitors of the malicious site are requested to solve a CAPTCHA challenge to download an Excel document with macro code that fetches the malware payload from a remote resource.

     

    excel(1).png

    The malicious Excel document used in the current campaign (Mandiant)

     

    The LDR4 variant comes in DLL form (“loader.dll”) and is packed by portable executable crypters and signed with valid certificates. This helps it evade detection from security tools on the system.

     

    Mandiant’s analysts dissecting LDR4 noticed that all banking features have been removed from the new Ursnif variant and its code has been cleaned and simplified.

     

    Backdoor era

     

    Upon execution, the new Ursnif collects system service data from the Windows registry and generate a user and a system ID.

     

    Next, it connects to the command and control server using an RSA key available in the configuration file. Then it attempts to retrieve a list of commands to execute on the host.

     

    Heartbeat sent by Ursnif to the C2 server

    POST request sent by Ursnif to the C2 server (Mandiant)

     

    The commands supported by the LDR4 variant are the following:

    • Load a DLL module into the current process
    • Retrieve the state of the cmd.exe reverse shell
    • Start the cmd.exe reverse shell
    • Stop the cmd.exe reverse shell
    • Restart the cmd.exe reverse shell
    • Run an arbitrary command
    • Terminate

     

    The built-in command shell system that uses a remote IP address to establish a reverse shell isn’t new, but now it is embedded into the malware binary instead of using an additional module, as did the previous variants.

     

    The plugin system has also been eliminated, as the command to load a DLL module into the current process can extend the malware’s capabilities as needed.

     

    One example seen by Mandiant is the VNC (virtual network computing) module (“vnc64_1.dll”), which gives LDR4 the ability to perform “hands-on” attacks on compromised systems.

     

    With the latest version, Ursnif LDR4 operators appear to have improved the code for a more specific task, that of an initial compromise tool that opens the door for other malware.

     

    Mandiant notes that ransomware operations is likely the direction the developers are heading to, as researchers identified on an underground hacker community a threat actor looking for partners to distribute ransomware and the RM3 version of Ursnif.

     

    Source

     


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...