article featured image


A new version of the Ursnif malware (a.k.a. Gozi) has surfaced. Initially emerging as a generic backdoor, this new version has been stripped of its typical banking trojan functionality. This change might indicate that the operators of this new version might change their focus and use the malware to distribute ransomware.

New Ursnif Campaign Spotted

Dubbed “LDR4”, this new variant is delivered via fake job offers on the clients’ email addresses. The email contains a link to a website that impersonates a legitimate company. When reaching the websites, the victims are required to solve a CAPTCHA challenge in order to download an Excel file. The file contains a macro code that fetches the malware payload from a remote resource into the victims’ system.

As reported by BleepingComputer, the new Ursnif variant comes in the form of a DLL called “loader.dll”. The DLL contains portable executable crypters and is signed with valid certificates, making it easier for it to escape from being detected by the systems’ security tools. Security researchers analyzing the malware observed that what is different from the last version is the fact that all of its banking features have been removed. Ursnif’s code has also been cleaned and simplified.

How the New Ursnif Works

When the new Ursnif is executed, it generates a user ID and a system ID by retrieving information about system services from the Windows registry. It then utilizes an RSA key found in the configuration file to establish a connection with the command and control server. Then it locates a list of commands to run on the host.

LDR4 now boasts the following commands:

  • Load a DLL module into the current process
  • Retrieve the state of the cmd.exe reverse shell
  • Start, restart, and stop the cmd.exe reverse shell
  • Run arbitrary code
  • Terminate

Not all the features are new, some have been implemented in previous Ursnif versions as well. With the implementation of the DLL module, the plugin system has been eliminated as it was not necessary anymore. Another update seen by security researchers is the implementation of the VNC (virtual network computing) module, which gives LDR4 the ability to perform hands-on attacks on the system it breaches.

Ursnif operators also appeared to have made improvements to the code of the malware, now allowing it to do more specific tasks. Such changes have determined security researchers to believe that the operators of the malware might shift their focus toward ransomware.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.

Author Profile

Cristian Neagu


linkedin icon

Cristian is a Content Editor & Creator at Heimdal®, where he developed a deep understanding of the digital threat landscape. His style resonates with both technical and non-technical readers, proof being in his skill of communicating cybersecurity norms effectively, in an easy-to-understand manner.