A new version of the Ursnif malware (a.k.a. Gozi) emerged as a generic backdoor, stripped of its typical banking trojan functionality.
This change could indicate that the operators of the new version are focusing on distributing ransomware.
Codenamed “LDR4,” the new variant was spotted on June 23, 2022, by researchers at incident response company Mandiant, who believe that it’s being distributed by the same actors that maintained the RM3 version of the malware over the past years.
New Ursnif campaign
The Ursnif LDR4 variant is delivered via fake job offer emails containing a link to a website that impersonates a legitimate company.
The tactic of posing as a job recruiters is not new for the Ursnif gang, who has has used this strategy before.
Visitors of the malicious site are requested to solve a CAPTCHA challenge to download an Excel document with macro code that fetches the malware payload from a remote resource.
The LDR4 variant comes in DLL form (“loader.dll”) and is packed by portable executable crypters and signed with valid certificates. This helps it evade detection from security tools on the system.
Mandiant’s analysts dissecting LDR4 noticed that all banking features have been removed from the new Ursnif variant and its code has been cleaned and simplified.
Backdoor era
Upon execution, the new Ursnif collects system service data from the Windows registry and generate a user and a system ID.
Next, it connects to the command and control server using an RSA key available in the configuration file. Then it attempts to retrieve a list of commands to execute on the host.
The commands supported by the LDR4 variant are the following:
Load a DLL module into the current process
Retrieve the state of the cmd.exe reverse shell
Start the cmd.exe reverse shell
Stop the cmd.exe reverse shell
Restart the cmd.exe reverse shell
Run an arbitrary command
Terminate
The built-in command shell system that uses a remote IP address to establish a reverse shell isn’t new, but now it is embedded into the malware binary instead of using an additional module, as did the previous variants.
The plugin system has also been eliminated, as the command to load a DLL module into the current process can extend the malware’s capabilities as needed.
One example seen by Mandiant is the VNC (virtual network computing) module (“vnc64_1.dll”), which gives LDR4 the ability to perform “hands-on” attacks on compromised systems.
With the latest version, Ursnif LDR4 operators appear to have improved the code for a more specific task, that of an initial compromise tool that opens the door for other malware.
Mandiant notes that ransomware operations is likely the direction the developers are heading to, as researchers identified on an underground hacker community a threat actor looking for partners to distribute ransomware and the RM3 version of Ursnif.