Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

New Ursnif Variant Likely Shifting Focus to Ransomware and Data Theft

The Ursnif malware has become the latest malware to shed its roots as a banking trojan to revamp itself into a generic backdoor capable of delivering next-stage payloads, joining the likes of Emotet, Qakbot, and TrickBot.

“This is a significant shift from the malware’s original purpose to enable banking fraud, but is consistent with the broader threat landscape,” Mandiant researchers Sandor Nemes, Sulian Lebegue, and Jessa Valdez disclosed in a Wednesday analysis.

The refreshed and refactored variant, first spotted by the Google-owned threat intelligence firm in the wild on June 23, 2022, has been codenamed LDR4, in what’s being seen as an attempt to lay the groundwork for potential ransomware and data theft extortion operations.

Ursnif, also called Gozi or ISFB, is one of the oldest banker malware families, with the earliest documented attacks going as far back as 2007. Check Point, in August 2020, mapped the “divergent evolution of Gozi” over the years, while pointing out its fragmented development history.

Almost a year later in late June 2021, a Romanian threat actor, Mihai Ionut Paunescu, was arrested by Colombian law enforcement officials for his role in propagating the malware to no fewer than a million computers from 2007 to 2012.

The latest attack chain detailed by Mandiant demonstrates the use of recruitment and invoice-related email lures as an initial intrusion vector to download a Microsoft Excel document, which then fetches and launches the malware.

The major refurbishment of Ursnif eschews all its banking-related features and modules in favor of retrieving a VNC module and gaining a remote shell into the compromised machine, which are carried out by connecting to a remote server to obtain said commands.

“These shifts may reflect the threat actors’ increased focus towards participating in or enabling ransomware operations in the future,” the researchers said.

Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

Related News

Ferrari Discloses Ransomware Attack; Refuses to Pay Ransom

Ferrari Discloses Ransomware Attack; Refuses to Pay Ransom

Ferrari, the renowned Italian luxury car manufacturer, suffered a cyber incident that compromised the company’s client data. According to a…
ChatGPT Bug Exposes Conversation History Titles

ChatGPT Bug Exposes Conversation History Titles

A ChatGPT user on Reddit first reported the bug after noticing Chinese language characters in the title of their conversation…
Breach Forums to Remain Offline Permanently

Breach Forums to Remain Offline Permanently

The decision to shut down the Breach Forums came after the admin noticed someone had logged into an old forum…