SOCRadar® Cyber Intelligence Inc. | Ursnif Malware Moving to Ransomware Operations from Bank Account Theft
Home

Resources

Blog
Oct 21, 2022
8 Mins Read

Ursnif Malware Moving to Ransomware Operations from Bank Account Theft

Ursnif (a.k.a. Gozi), a former banking trojan, has been repurposed as a generic backdoor. Threat actors could use the new variant to distribute ransomware

Mandiant researchers discovered Ursnif’s new variant, LDR4, in late June, and they reckon the same actors from the RM3 variant are behind its distribution. It was also discovered that all banking features were removed from the LDR4 variant of Ursnif, and its code has been simplified. 

The threat actors behind Ursnif make fake job proposals in emails to carry out the operations, which is their usual scheme. In a previous campaign, the gang impersonated Michael Page’s consultants. They offered executive positions to lure victims and deployed their infostealer malware. 

Initial Access and Operations of Ursnif

The LDR4 variant is spread via phishing emails containing a link to a website impersonating a legitimate company.

Upon visiting the malicious site, users are requested to complete a Captcha quiz to download an Excel document. A macro code in the Excel document is used to retrieve the malware payload named loader[.]dll from a remote resource. The DLL is signed with legitimate certificates to prevent detection and is packed by portable executable crypters. 

After execution, the new malware gathers system service information from the Windows registry and generates a user and a system ID

An RSA key found in the configuration file is then used to establish a connection with the command and control (C2) server. After that, it tries to get a list of commands to run on the host. 

The malware supports the following commands:

Command ID

Command Name

Description

0xf880e2be

LOAD_DLL

Load a DLL module into the current process

0xfee861f1

SHELL_STATE

Retrieve the state of the cmd[.]exe reverse shell

0xc202e685

SHELL_START

Start the cmd[.]exe reverse shell

0xa5946e4a

SHELL_STOP

Stop the cmd[.]exe reverse shell

0xa04d6355

SHELL_RESTART

Restart the cmd[.]exe reverse shell

0x5d2295b5

RUN_COMMAND

Run an arbitrary command

0x5d639645

EXIT

Terminate

The built-in command shell mechanism, which establishes a reverse shell using a remote IP address, is not new. Still, unlike earlier versions, it is now embedded directly into the malware binary. 

The plugin system has also been removed, as the command to load a DLL module into the current process can be used to extend the malware’s capabilities when necessary. 

Mandiant identified one such instance as the VNC (virtual network computing) module (vnc64 1[.]dll), which enables LDR4 to conduct hands-on attacks on infected devices.

You can get related feeds about Ursnif on the SOCRadar Threat Hunting platform.
You can get related feeds about Ursnif on the SOCRadar Threat Hunting platform.

Developers are Moving Toward Ransomware Operations 

The code for an initial compromise tool, which allows additional malware to enter a system, appears to have been updated by Ursnif LDR4 operators in the new version. 

As researchers discovered a threat actor searching for collaborators to distribute ransomware and the RM3 version of Ursnif, Mandiant says that the developers are probably moving toward ransomware operations.

Ursnif IoCs

Any updates to IoCs can be found on Mandiant’s blog.

Malware sample hashes:

  • 360417f75090c962adb8021dbb478f67 [VT]
  • 3e0f28bcaf35af2802f45b58f49481be
  • 590d96a7be55240ad868ebec78ce38f2
  • 8c658b9b02814927124351484c42a272 [VT]
  • 9f68d1a4b33e3ace6215040dc9fc73e8 [VT]
  • b4610d340a9bff58616543b10e961cd3
  • baa784967fd0558715f4011a72eb872e [VT]
  • bd4a92d4577ddedeb462a71cdf2fa934
  • bea60bab50d47f239132890a343ae84c [VT]
  • d38f6f01bb926df07d34de0649f608f6 [VT]
  • d6ef4778f7dc9c31a0a2a989ef42d2fd [VT]
  • d94657449f8d8c165ef88fd93e463134 [VT]
  • eee617806c18710e8635615de6297834 [VT]
  • f4b0a6ab164f7c58cccce651606caede [VT]

Malware sample hashes (unpacked):

  • 00b981b4d3f47bcbd32dfa37f3b947e5 [VT]
  • 09bc2a1aefbafd3e7577bc3c352c82ad [VT]
  • 1b0ec09ca4cb7dcf5d59cea53e1b9c93
  • 3c5f002b46ef11700caca540dcc7c519
  • 498d5e8551802e02fe4fa6cd0425c608
  • 58169007c2e7a0d022bc383f9b9476fe [VT]
  • 7808d22a4343b2617ceef63fd0d43651
  • 7eea48e592c4bccbfa3929b1b35a7c0b
  • 89b4dd18bea842fddd021aa74d109ec3
  • a3539bc682f39406c050e5233058c930 [VT]
  • ac39f1a22538f0211204037cce30431d
  • c1989d25287cd9044b4d936e73962e35
  • c7facfffad15a9c84239b495770183bb
  • cde05576e7c48ca89d2f21c283a4a018 [VT]

Domains:

  • astope[.]xyz
  • binchfog[.]xyz
  • damnater[.]com
  • daydayvin[.]xyz
  • dodsman[.]com
  • dodstep[.]cyou
  • fineg[.]xyz
  • fingerpin[.]cyou
  • fishenddog[.]xyz
  • giantos[.]xyz
  • gigeram[.]com
  • gigiman[.]xyz
  • gigimas[.]xyz
  • higmon[.]cyou
  • isteros[.]com
  • kidup[.]xyz
  • lionnik[.]xyz
  • logotep[.]xyz
  • mainwog[.]xyz
  • mamount[.]cyou
  • minotos[.]xyz
  • pinki[.]cyou
  • pipap[.]xyz
  • prises[.]cyou
  • reaso[.]xyz
  • rorfog[.]com
  • tornton[.]xyz
  • vavilgo[.]xyz

IP addresses:

  • 5[.]182.36.248 (CH) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
  • 5[.]182.37.136 (RU) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
  • 5[.]182.38.43 (HU) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
  • 5[.]182.38.68 (HU) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
  • 5[.]252.23.238 (SK) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
  • 45[.]8.147.179 (SE) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
  • 45[.]8.147.215 (SE) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
  • 45[.]67.34.75 (RO) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
  • 45[.]67.34.172 (RO) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
  • 45[.]67.34.245 (RO) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
  • 45[.]67.229.39 (MD) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
  • 45[.]89.54.122 (SK) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
  • 45[.]89.54.152 (SK) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
  • 45[.]95.11.62 (SK) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
  • 45[.]140.146.241 (MD) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
  • 45[.]142.212.87 (MD) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
  • 45[.]150.67.4 (MD) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
  • 77[.]75.230.62 (CZ) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
  • 77[.]91.72.15 (HU) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
  • 94[.]131.100.71 (FI) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
  • 94[.]131.100.209 (FI) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
  • 94[.]131.106.8 (NL) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
  • 94[.]131.106.16 (NL) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
  • 94[.]131.107.13 (NL) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
  • 94[.]131.107.132 (NL) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
  • 94[.]131.107.252 (NL) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
  • 141[.]98.169.6 (FI) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
  • 185[.]250.148.35 (MD) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
  • 188[.]119.112.104 (NL) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
  • 193[.]38.54.157 (NL) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)

User-Agent strings:

  • Mozilla/5.0 (Windows NT ; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
  • Mozilla/5.0 (Windows NT ; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36