Apr 18, 2024
Ursnif Malware Moving to Ransomware Operations from Bank Account Theft
Ursnif (a.k.a. Gozi), a former banking trojan, has been repurposed as a generic backdoor. Threat actors could use the new variant to distribute ransomware.
Mandiant researchers discovered Ursnif’s new variant, LDR4, in late June, and they reckon the same actors from the RM3 variant are behind its distribution. It was also discovered that all banking features were removed from the LDR4 variant of Ursnif, and its code has been simplified.
The threat actors behind Ursnif make fake job proposals in emails to carry out the operations, which is their usual scheme. In a previous campaign, the gang impersonated Michael Page’s consultants. They offered executive positions to lure victims and deployed their infostealer malware.
Initial Access and Operations of Ursnif
The LDR4 variant is spread via phishing emails containing a link to a website impersonating a legitimate company.
Upon visiting the malicious site, users are requested to complete a Captcha quiz to download an Excel document. A macro code in the Excel document is used to retrieve the malware payload named loader[.]dll from a remote resource. The DLL is signed with legitimate certificates to prevent detection and is packed by portable executable crypters.
After execution, the new malware gathers system service information from the Windows registry and generates a user and a system ID.
An RSA key found in the configuration file is then used to establish a connection with the command and control (C2) server. After that, it tries to get a list of commands to run on the host.
The malware supports the following commands:
|
Command ID |
Command Name |
Description |
|
0xf880e2be |
LOAD_DLL |
Load a DLL module into the current process |
|
0xfee861f1 |
SHELL_STATE |
Retrieve the state of the cmd[.]exe reverse shell |
|
0xc202e685 |
SHELL_START |
Start the cmd[.]exe reverse shell |
|
0xa5946e4a |
SHELL_STOP |
Stop the cmd[.]exe reverse shell |
|
0xa04d6355 |
SHELL_RESTART |
Restart the cmd[.]exe reverse shell |
|
0x5d2295b5 |
RUN_COMMAND |
Run an arbitrary command |
|
0x5d639645 |
EXIT |
Terminate |
The built-in command shell mechanism, which establishes a reverse shell using a remote IP address, is not new. Still, unlike earlier versions, it is now embedded directly into the malware binary.
The plugin system has also been removed, as the command to load a DLL module into the current process can be used to extend the malware’s capabilities when necessary.
Mandiant identified one such instance as the VNC (virtual network computing) module (vnc64 1[.]dll), which enables LDR4 to conduct hands-on attacks on infected devices.
Developers are Moving Toward Ransomware Operations
The code for an initial compromise tool, which allows additional malware to enter a system, appears to have been updated by Ursnif LDR4 operators in the new version.
As researchers discovered a threat actor searching for collaborators to distribute ransomware and the RM3 version of Ursnif, Mandiant says that the developers are probably moving toward ransomware operations.
Ursnif IoCs
Any updates to IoCs can be found on Mandiant’s blog.
Malware sample hashes:
- 360417f75090c962adb8021dbb478f67 [VT]
- 3e0f28bcaf35af2802f45b58f49481be
- 590d96a7be55240ad868ebec78ce38f2
- 8c658b9b02814927124351484c42a272 [VT]
- 9f68d1a4b33e3ace6215040dc9fc73e8 [VT]
- b4610d340a9bff58616543b10e961cd3
- baa784967fd0558715f4011a72eb872e [VT]
- bd4a92d4577ddedeb462a71cdf2fa934
- bea60bab50d47f239132890a343ae84c [VT]
- d38f6f01bb926df07d34de0649f608f6 [VT]
- d6ef4778f7dc9c31a0a2a989ef42d2fd [VT]
- d94657449f8d8c165ef88fd93e463134 [VT]
- eee617806c18710e8635615de6297834 [VT]
- f4b0a6ab164f7c58cccce651606caede [VT]
Malware sample hashes (unpacked):
- 00b981b4d3f47bcbd32dfa37f3b947e5 [VT]
- 09bc2a1aefbafd3e7577bc3c352c82ad [VT]
- 1b0ec09ca4cb7dcf5d59cea53e1b9c93
- 3c5f002b46ef11700caca540dcc7c519
- 498d5e8551802e02fe4fa6cd0425c608
- 58169007c2e7a0d022bc383f9b9476fe [VT]
- 7808d22a4343b2617ceef63fd0d43651
- 7eea48e592c4bccbfa3929b1b35a7c0b
- 89b4dd18bea842fddd021aa74d109ec3
- a3539bc682f39406c050e5233058c930 [VT]
- ac39f1a22538f0211204037cce30431d
- c1989d25287cd9044b4d936e73962e35
- c7facfffad15a9c84239b495770183bb
- cde05576e7c48ca89d2f21c283a4a018 [VT]
Domains:
- astope[.]xyz
- binchfog[.]xyz
- damnater[.]com
- daydayvin[.]xyz
- dodsman[.]com
- dodstep[.]cyou
- fineg[.]xyz
- fingerpin[.]cyou
- fishenddog[.]xyz
- giantos[.]xyz
- gigeram[.]com
- gigiman[.]xyz
- gigimas[.]xyz
- higmon[.]cyou
- isteros[.]com
- kidup[.]xyz
- lionnik[.]xyz
- logotep[.]xyz
- mainwog[.]xyz
- mamount[.]cyou
- minotos[.]xyz
- pinki[.]cyou
- pipap[.]xyz
- prises[.]cyou
- reaso[.]xyz
- rorfog[.]com
- tornton[.]xyz
- vavilgo[.]xyz
IP addresses:
- 5[.]182.36.248 (CH) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
- 5[.]182.37.136 (RU) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
- 5[.]182.38.43 (HU) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
- 5[.]182.38.68 (HU) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
- 5[.]252.23.238 (SK) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
- 45[.]8.147.179 (SE) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
- 45[.]8.147.215 (SE) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
- 45[.]67.34.75 (RO) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
- 45[.]67.34.172 (RO) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
- 45[.]67.34.245 (RO) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
- 45[.]67.229.39 (MD) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
- 45[.]89.54.122 (SK) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
- 45[.]89.54.152 (SK) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
- 45[.]95.11.62 (SK) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
- 45[.]140.146.241 (MD) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
- 45[.]142.212.87 (MD) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
- 45[.]150.67.4 (MD) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
- 77[.]75.230.62 (CZ) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
- 77[.]91.72.15 (HU) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
- 94[.]131.100.71 (FI) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
- 94[.]131.100.209 (FI) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
- 94[.]131.106.8 (NL) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
- 94[.]131.106.16 (NL) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
- 94[.]131.107.13 (NL) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
- 94[.]131.107.132 (NL) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
- 94[.]131.107.252 (NL) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
- 141[.]98.169.6 (FI) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
- 185[.]250.148.35 (MD) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
- 188[.]119.112.104 (NL) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
- 193[.]38.54.157 (NL) – ISP: STARK INDUSTRIES SOLUTIONS LTD (GB)
User-Agent strings:
- Mozilla/5.0 (Windows NT
; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36 - Mozilla/5.0 (Windows NT
; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
Related Articles
Subscribe to our newsletter and stay updated on the latest insights!
