What’s Old (Ursnif), is New Again (Gozi)

10854679261?profile=RESIZE_400xOne of the oldest and most successful forms of banking malware has been repurposed into a backdoor trojan described as "significantly dangerous" and likely to be used for ransomware attacks.  The new variant of Ursnif malware, also known as Gozi, has been detailed by researchers who suggest it has been purposefully built to power ransomware and data-theft attacks by using malicious Microsoft Office documents to get into users’ computers and requires macros to be activated. 

Designed to steal bank details, the first incarnation of malware appeared in 2006 and caused millions of dollars in losses. The FBI described it as "one of the most financially destructive computer viruses in history."  Since then, the original source code has leaked, spawning several new variants that still plague victims today.

These versions of Ursnif have stuck with the goal of the original malware stealing bank details.  But according to cyber investigators, that has changed with a new variant named LDR4, which has repurposed Ursnif into the malware in the style of Trickbot and Emotet.

See:  https://redskyalliance.org/xindustry/trickbot-malware-is-tricky-having-new-devious-versions

See:  https://redskyalliance.org/xindustry/this-may-be-the-end-of-emotet

Attackers using the malware could steal data or use the backdoor to install ransomware, something that could cause much wider and more severe damage than stealing bank details and provide attackers with a much larger payday.

LDR4 could be a significantly dangerous variant capable of distributing ransomware that should be watched closely.  The new variant was first seen in June this year and it's distributed using the same method as previous Ursnif campaigns and many other malware attacks via phishing emails.  The LDR4 variant appears as a DLL module on the infected computer, invoked via the DllRegisterServer function. Still, other randomly named decoy functions are often exported to confuse sandboxes.  Some of the binaries were using valid code-signing certificates.

Some of these phishing emails claim to be from a recruiter with an offer of a new opportunity.  The messages claim that, because of the General Data Protection Regulation (GDPR), they cannot give out information by email, so the victim is urged to download a document to find out more.  Others are distributed in messages claiming to contain an invoice that must be looked at urgently.  If a user follows the instructions in the phishing email, it will result in the Ursnif payload being downloaded, which provides attackers with remote access to the machine.

This is a significant shift from the malware's original purpose to enable banking fraud but is consistent with the broader threat landscape, said researchers.  While it is a potentially dangerous malware, falling victim to this latest version of Ursnif.  As it arrives via phishing emails, organizations should do their best to ensure that protections are in place to identify and block malicious spam.  They should also inform users of the risks of phishing emails and keep them updated on the types of subjects used to lure victims.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.    For questions, comments or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@wapacklabs.com      

Weekly Cyber Intelligence Briefings:

  • Reporting: https://www. redskyalliance. org/   
  • Website: https://www. wapacklabs. com/  
  • LinkedIn: https://www. linkedin. com/company/64265941   

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings


E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!

Join Red Sky Alliance