Ursnif ‘Milestone’ Variant Removes Banking Trojan Features

The Ursnif malware has been completely revamped into a new variant which researchers say was designed to enable ransomware or data extortion operations.

Ursnif, also known as Gozi, is one of the most widespread banking trojans, with the abilities to log keystrokes, exfiltrate data, and keep tabs on network and web activity. Navigator. After the malware source code was leaked years ago, a number of malware variants have emerged, including DreamBot, IAP, RM2 and the most sophisticated variant to date, RM3. But in June, Mandiant researchers discovered a new variant of the malware that they say “marks an important milestone for the tool.” The new variant, LDR4, removes functionality from the Ursnif banking Trojan and instead serves as a generic backdoor, with heavy simplifications to its code, which focuses only on introducing a remote shell into compromised machines.

“This is a significant shift from the malware’s original purpose of enabling bank fraud, but is consistent with the broader threat landscape,” said Sandor Nemes, Sulian Lebegue, and Jessa Valdez, researchers at Mandiant, in a Wednesday analysis. “Mandiant believes that the same threat actors who exploited the RM3 variant of URSNIF are likely behind LDR4. Given the success and sophistication that RM3 had before, LDR4 could be a very dangerous ransomware-distributing variant that should be watched closely.

The new variant was first seen in malicious emails containing decoys linked to recruitment or accounting software. The email contained a link to a compromised website, which redirected to a domain believed to be that of a legitimate company, and presented the target with a CAPTCHA that ultimately prompted an Excel document to be downloaded. This document downloaded and executed the LDR4 payload.

“These changes may reflect increased focus by threat actors on participating in or enabling ransomware operations in the future.”

LDR4 removes several features used by previous variants of Ursnif, such as the FJ.exe steganography tool used to hide files in a single payload. The newer variant also no longer uses the custom PX executable format that was used by the RM3 variant, instead relying on the PE format. The researchers said that part of this decision by the developers may have been due to the fact that the PX format is now commonly detected by various AV and EDR products.

Additionally, “we believe this choice was made to avoid over-complicating the troubleshooting of software issues,” the researchers said. “From a developer’s perspective…refocusing on larger pipelines of requested features is crucial to your reputation.”

LDR4 also includes several other tweaks, such as incorporating obfuscation (which was historically not used by Ursnif) for its Windows API calls; as well as a complete overhaul of its configuration storage which includes a new data structure for storing attached files. However, the most obvious change is that Ursnif’s traditional banking features and modules have been dropped altogether, the researchers said. LDR4’s command set now includes the ability to load DLL modules into running processes, start and stop cmd.exe reverse shells, execute arbitrary commands, and terminate processes.

The complete overhaul of the latest variant of Ursnif follows in the footsteps of other malware families like Emotet and Trickbot which ditched their bank fraud features and focused on new strategies. The widespread changes to the malware’s TTPs also follow a decline of the RM3 variant of Ursnif from 2020.

“These changes may reflect threat actors’ increased emphasis on participating in or enabling ransomware operations in the future,” the Mandiant researchers said.

Comments are closed.