Good news, URSNIF no longer a banking trojan. Bad news, it's now a backdoor

URSNIF, the malware also known as Gozi that attempts to steal online banking credentials from victims' Windows PCs, is evolving to support extortionware.

As one of the oldest banking trojans – dating back to the mid-2000s – the software nasty has a number of variants and been given a few monikers, including URSNIF, Gozi, and ISFB. It's crossed paths with other malware families, had its source code leaked twice since 2016 and, according to Mandiant, is now less a single malware family than a "set of related siblings."

It's also seen its alleged masterminds get hauled into US courts. The last of them was extradited this year from Colombia, where he fled after being released on bail following his arrest in Romania in 2012.

Whoever's still behind URSNIF is following the path worn by developers of other malware families, such as Emotet, TrickBot, and Qakbot, which shed their banking-info-stealing pasts to become backdoors on infected machines that can be used by miscreants to deliver ransomware and data-stealing payloads.

In a report this week, Mandiant researchers Sandor Nemes, Sulian Lebegue, and Jessa Valdez wrote that a strain of URSNIF's RM3 version is no longer a banking trojan but a generic backdoor, similar to the short-lived Saigon variant.

This backdoor can be used to run ransomware, data exfiltration, and other horrible crap on compromised computers.

"This is a significant shift from the malware's original purpose to enable banking fraud, but is consistent with the broader threat landscape," the researchers wrote, adding that they believe "the same threat actors who operated the RM3 variant of URSNIF are likely behind [the] LDR4 [variant]. Given the success and sophistication RM3 previously had, LDR4 could be a significantly dangerous variant – capable of distributing ransomware – that should be watched closely."

Ransomware – and now data extortion, where attackers steal files from victims and threaten to leak them if money demanded isn't paid – is just everywhere now. Threat intelligence firm Intel 471 spotted more than 1,500 ransomware infections in the first three quarters of this year alone.

A ransomware attack can cost companies and their insurers millions of dollars, so it's not surprising that established cyber-crime crews would move in that direction. URSNIF, with its latest LDR4 variant, appears to be doing just that.

• Health insurer's infosec incident diagnosis goes from 'take a chill pill' to emergency ward
• Germany stands down cyber boss over Russian ties
• Upstart Ransom Cartel linked to REvil veterans
• Banks face their 'darkest hour' as malware steps up, maker of antivirus says

Mandiant first detected LDR4 in the wild on June 23 after analyzing a suspicious email that resembled the messages used by RM3 from a year earlier. In the email is a link to a malicious website that redirects the victim to a site made to look like a legitimate business, complete with a CAPTCHA challenge to download a Microsoft Excel document supposedly related to the email's contents. If the email is about a job offer, the document is said to have information regarding that.

Clicking on the document leads to the download and execution of the LDR4 payload, once the mark follows the given instructions to run macros within the file.

"One of the most noticeable things during the analysis was that the developers had simplified and cleaned up various parts of the code, compared to previous variants," the researchers wrote. "Most notably, its banking features were totally scrapped."

URSNIF, in its time as a banking malware, caused a lot of problems for financial services institutions and their customers. Upon extraditing to America Mihai Ionut Paunescu, a 37-year-old Romanian who is accused of creating URSNIF, US law enforcement officials said the malware had infected more than a million Windows computers around the globe, including in the United States. They estimated that it caused tens of millions of dollars in losses to government agencies, organizations, and individuals.

PC users in such countries as Germany, Great Britain, Poland, Italy, and Turkey, also were hit by the malware, which could log a victim's keystrokes and steal credentials to get into their online bank accounts.

However, in 2020, the RM3 variant began to struggle. Distribution and backends, particularly in Europe, collapsed and then failed to take advantage of the disruptions sustained by TrickBot and Emotet to increase its use.

"One of the greatest winners of this was the ICEDID malware family, which managed to leverage the shrinking competition on the banking malware landscape, putting RM3 into a difficult position," the Mandiant team wrote, adding it was unusual for URSNIF's ISFB variant – which spawned other variants, including RM3 – to stop getting updates after June 2020.

"Some researchers hypothesized that the only way for this banking malware to return was to do some major refurbishing of its code."

The final step in the fall of RM3 was Microsoft in June removing Internet Explorer from Windows. The variant was reliant on that browser for its network communication.

The Mandiant analysts called LDR4 a "mix of code refactoring, regressions and interesting simplification strategies." It no longer uses the custom PX executable format that first came with RM3, and a steganography tool called FJ.exe that was used in ISFB to hide multiple files in a single payload is either gone or reworked.

Then there is the migration to the new strategy – away from banking fraud to being the backdoor for other malware.

"The demise of the RM3 variant earlier this year, and the authors' decisions to make heavy simplifications to their code, including the removal of all banking related features, point toward a drastic change in their previously observed TTPs [tactics, techniques, and procedures]," the team wrote.

"These shifts may reflect the threat actors' increased focus towards participating in or enabling ransomware operations in the future."

This was supported when Mandiant analysts saw a cybercriminal in underground communities this year looking for partners to distribute new ransomware and the RM3 variant, which is similar to LDR4. ®