A brand new model of the Ursnif malware (a.ok.a. Gozi) emerged as a generic backdoor, stripped of its typical banking trojan performance.
This change might point out that the operators of the brand new model are specializing in distributing ransomware.
Codenamed “LDR4,” the brand new variant was noticed on June 23, 2022, by researchers at incident response firm Mandiant, who consider that it is being distributed by the identical actors that maintained the RM3 model of the malware over the previous years.
New Ursnif marketing campaign
The Ursnif LDR4 variant is delivered by way of pretend job supply emails containing a hyperlink to a web site that impersonates a reliable firm.
The tactic of posing as a job recruiters isn’t new for the Ursnif gang, who has has used this technique earlier than.
Visitors of the malicious web site are requested to unravel a CAPTCHA problem to obtain an Excel doc with macro code that fetches the malware payload from a distant useful resource.
The LDR4 variant is available in DLL type (“loader.dll”) and is packed by moveable executable crypters and signed with legitimate certificates. This helps it evade detection from safety instruments on the system.
Mandiant’s analysts dissecting LDR4 seen that every one banking options have been faraway from the brand new Ursnif variant and its code has been cleaned and simplified.
Backdoor period
Upon execution, the brand new Ursnif collects system service information from the Windows registry and generate a person and a system ID.
Next, it connects to the command and management server utilizing an RSA key out there within the configuration file. Then it makes an attempt to retrieve a listing of instructions to execute on the host.
The instructions supported by the LDR4 variant are the next:
- Load a DLL module into the present course of
- Retrieve the state of the cmd.exe reverse shell
- Start the cmd.exe reverse shell
- Stop the cmd.exe reverse shell
- Restart the cmd.exe reverse shell
- Run an arbitrary command
- Terminate
The built-in command shell system that makes use of a distant IP tackle to ascertain a reverse shell isn’t new, however now it’s embedded into the malware binary as an alternative of utilizing an extra module, as did the earlier variants.
The plugin system has additionally been eradicated, because the command to load a DLL module into the present course of can lengthen the malware’s capabilities as wanted.
One instance seen by Mandiant is the VNC (digital community computing) module (“vnc64_1.dll”), which provides LDR4 the flexibility to carry out “hands-on” assaults on compromised techniques.
With the newest model, Ursnif LDR4 operators seem to have improved the code for a extra particular job, that of an preliminary compromise instrument that opens the door for different malware.
Mandiant notes that ransomware operations is probably going the course the builders are heading to, as researchers recognized on an underground hacker neighborhood a risk actor searching for companions to distribute ransomware and the RM3 model of Ursnif.