Tuesday, June 6, 2023
HomeCyber SecurityUrsnif malware switches from checking account theft to preliminary entry

Ursnif malware switches from checking account theft to preliminary entry

Ursnif malware switches from bank account theft to initial access

A brand new model of the Ursnif malware (a.ok.a. Gozi) emerged as a generic backdoor, stripped of its typical banking trojan performance.

This variation might point out that the operators of the brand new model are specializing in distributing ransomware.

Codenamed “LDR4,” the brand new variant was noticed on June 23, 2022, by researchers at incident response firm Mandiant, who consider that it is being distributed by the identical actors that maintained the RM3 model of the malware over the previous years.

Various Ursnif variants appearing over the years
Varied Ursnif variants showing over time (Mandiant)

New Ursnif marketing campaign

The Ursnif LDR4 variant is delivered through faux job provide emails containing a hyperlink to an internet site that impersonates a reliable firm.

The tactic of posing as a job recruiters just isn’t new for the Ursnif gang, who has has used this technique earlier than.

Guests of the malicious website are requested to unravel a CAPTCHA problem to obtain an Excel doc with macro code that fetches the malware payload from a distant useful resource.

Malicious Excel document used in the current campaign
The malicious Excel doc used within the present marketing campaign (Mandiant)

The LDR4 variant is available in DLL kind (“loader.dll”) and is packed by transportable executable crypters and signed with legitimate certificates. This helps it evade detection from safety instruments on the system.

Mandiant’s analysts dissecting LDR4 observed that every one banking options have been faraway from the brand new Ursnif variant and its code has been cleaned and simplified.

Backdoor period

Upon execution, the brand new Ursnif collects system service information from the Home windows registry and generate a consumer and a system ID.

Subsequent, it connects to the command and management server utilizing an RSA key out there within the configuration file. Then it makes an attempt to retrieve a listing of instructions to execute on the host.

Heartbeat sent by Ursnif to the C2 server
POST request despatched by Ursnif to the C2 server (Mandiant)

The instructions supported by the LDR4 variant are the next:

  • Load a DLL module into the present course of
  • Retrieve the state of the cmd.exe reverse shell
  • Begin the cmd.exe reverse shell
  • Cease the cmd.exe reverse shell
  • Restart the cmd.exe reverse shell
  • Run an arbitrary command
  • Terminate

The built-in command shell system that makes use of a distant IP tackle to ascertain a reverse shell isn’t new, however now it’s embedded into the malware binary as a substitute of utilizing an extra module, as did the earlier variants.

The plugin system has additionally been eradicated, because the command to load a DLL module into the present course of can lengthen the malware’s capabilities as wanted.

One instance seen by Mandiant is the VNC (digital community computing) module (“vnc64_1.dll”), which supplies LDR4 the flexibility to carry out “hands-on” assaults on compromised techniques.

With the most recent model, Ursnif LDR4 operators seem to have improved the code for a extra particular job, that of an preliminary compromise software that opens the door for different malware.

Mandiant notes that ransomware operations is probably going the course the builders are heading to, as researchers recognized on an underground hacker group a menace actor searching for companions to distribute ransomware and the RM3 model of Ursnif.



Please enter your comment!
Please enter your name here

Most Popular

Recent Comments