Ursnif malware variant alters its focus to data theft and ransomware

The new version of the banking malware now shifts to initial access and data sealing methods, as well as ransomware methods

Ursnif is stripped from banking trojan code and now is used for initial access

Ursnif is the malware that has become a significant threat in the cyber infection world. The threat recently shed its roots as the particular banking trojan and developers released new versions.^[1] The newest variant is revamped and is not a generic backdoor trojan that can deliver next-stage payloads like ransomware.^[2] Now, it is more similar to the known Emotet, Qakbot, and TrickBot malware.^[3]

Ursnif, also known as Gozi malware, first started the campaign as the backdoor and then evolved into a particular banking trojan. This recent alteration that makes the trojan a vector for other payloads might mean that developers want to shift their focus to ransomware deployment. It is common for file lockers and cryptocurrency extortion-based threats to use other malware for distribution.

The new variant was spotted by the Google-owned threat intelligence firm in June. It is believed by experts^[4] that the threat actor group operating this version is the same as before. There are various possibilities for malware campaigns now, according to them:

This is a significant shift from the malware's original purpose to enable banking fraud, but is consistent with the broader threat landscape

New Ursnif malware with major goals

Ursnif LDR4 variant can be spread around using email campaigns, Fake jog offer messages containing links to websites impersonating legitimate pages of companies. This way, threat actors pose as job recruiters and spread malware around once links get visited by unsuspected users. This is the common method previously used by this same malware.

Once the malicious site gets visited, requests appear on the screen, and those look like a CAPTCHA verification challenge. Then the Excel document gets downloaded. This is where malicious macros^[5] are hidden, and malware payload gets fetched from the remote server this way.

This newest variant comes with the DLL file acting as a loader that helps evade the detection of AV and security tools. This is the way to ensure the persistence of the malware on the system when it is less likely going to be indicated as malicious or even potentially dangerous.

Banking trojan features and capabilities removed from the malware

The detailed analysis of this infection variant shows that the LDR4 version of the known Ursnif malware now does not have any functions of the banking malware. The code has been simplified and cleaned of those capabilities that made the banking trojan a significant threat.

Not this trojan is coded to steal system service data from the Windows registry and generate user and system identification keys. Then the connection to the C&C server can be initiated using RSA keys available in the configuration file. Commands can then be received from the host and executed on the infected machine.

The infection's latest attack shows the complete refurbishment of the known Ursnif malware. It uses other similar methods, like a built-in command shell system that uses the remote IP address to establish a reverse shell. This is not new, but the recent variant has this function embedded into the malware binary, not as an additional module.

The recent improvements also include the advanced code for more specific tasks like the initial compromise tool that opens the door for other malware. The focus might be ransomware because this is a good way for cybercriminals to make money from victims directly and quickly without additional transactions like with the banking account hijacking methods.