New Variant of Ursnif Malware Shifts Focus from Bank Account Theft to Initial Access
The New Version Boasts New Features and a Cleaner Code.
Last updated on October 21, 2022
A new version of the Ursnif malware (a.k.a. Gozi) has surfaced. Initially emerging as a generic backdoor, this new version has been stripped of its typical banking trojan functionality. This change might indicate that the operators of this new version might change their focus and use the malware to distribute ransomware.
New Ursnif Campaign Spotted
Dubbed “LDR4”, this new variant is delivered via fake job offers on the clients’ email addresses. The email contains a link to a website that impersonates a legitimate company. When reaching the websites, the victims are required to solve a CAPTCHA challenge in order to download an Excel file. The file contains a macro code that fetches the malware payload from a remote resource into the victims’ system.
As reported by BleepingComputer, the new Ursnif variant comes in the form of a DLL called “loader.dll”. The DLL contains portable executable crypters and is signed with valid certificates, making it easier for it to escape from being detected by the systems’ security tools. Security researchers analyzing the malware observed that what is different from the last version is the fact that all of its banking features have been removed. Ursnif’s code has also been cleaned and simplified.
How the New Ursnif Works
When the new Ursnif is executed, it generates a user ID and a system ID by retrieving information about system services from the Windows registry. It then utilizes an RSA key found in the configuration file to establish a connection with the command and control server. Then it locates a list of commands to run on the host.
LDR4 now boasts the following commands:
Load a DLL module into the current process
Retrieve the state of the cmd.exe reverse shell
Start, restart, and stop the cmd.exe reverse shell
Run arbitrary code
Not all the features are new, some have been implemented in previous Ursnif versions as well. With the implementation of the DLL module, the plugin system has been eliminated as it was not necessary anymore. Another update seen by security researchers is the implementation of the VNC (virtual network computing) module, which gives LDR4 the ability to perform hands-on attacks on the system it breaches.
Ursnif operators also appeared to have made improvements to the code of the malware, now allowing it to do more specific tasks. Such changes have determined security researchers to believe that the operators of the malware might shift their focus toward ransomware.
Cristian is a Content Editor & Creator at Heimdal®, where he developed a deep understanding of the digital threat landscape. His style resonates with both technical and non-technical readers, proof being in his skill of communicating cybersecurity norms effectively, in an easy-to-understand manner.