URSNIF (aka Gozi) banking trojan turns into a backdoor • The Register

URSNIF, the malware also known as Gozi that attempts to steal online banking credentials from victims’ Windows PCs, is evolving to support extortion software.

As one of the oldest banking Trojans – dating back to the mid-2000s – the nasty software has a number of variants and has been given a few nicknames, including URSNIF, Gozi and ISFB. It has crossed paths with other malware families, its source code has been leaked twice since 2016, and according to Mandiant it is now less of a single malware family than a “set of related siblings “.

He also saw his alleged brains dragged through US courts. The last of them was extradited this year from Colombia, where he fled after being released on bail following his arrest in Romania in 2012.

Whoever is still behind URSNIF follows the path taken by the developers of other malware families, such as Emotet, TrickBot and Qakbot, who abandoned their past of stealing banking information to become backdoors on infected machines that can be used by malefactors to deliver ransomware and data-stealing payloads.

In a report published this week, Mandiant researchers Sandor Nemes, Sulian Lebegue and Jessa Valdez wrote that a strain of the RM3 version of URSNIF is no longer a banking Trojan but a generic backdoor, similar to the short-lived Saigon variant.

This backdoor can be used to run ransomware, data exfiltration and other horrible crap on compromised computers.

“This is a significant shift from the malware’s original purpose of enabling bank fraud, but is consistent with the broader threat landscape,” the researchers wrote, adding that they believe “the same threat actors that exploited the RM3 variant of URSNIF are likely behind [the] LDR4 [variant]. Given the success and sophistication that RM3 had before, LDR4 could be a very dangerous variant – capable of distributing ransomware – that should be watched closely.”

Ransomware – and now data extortion, where attackers steal victims’ files and threaten to release them if the requested money is not paid – are everywhere now. Threat intelligence firm Intel 471 spotted more than 1,500 ransomware infections in the first three quarters of this year alone.

A ransomware attack can cost companies and their insurers millions of dollars, so it’s no surprise that established cybercrime teams are moving in this direction. URSNIF, with its latest LDR4 variant, seems to do just that.

Mandiant first detected LDR4 in the wild on June 23 after analyzing a suspicious email that resembled messages used by RM3 a year earlier. In the email is a link to a malicious website that redirects the victim to a site designed to look like a legitimate business, with a CAPTCHA challenge to download a Microsoft Excel document supposedly related to the content of the email . If the email is about a job offer, the document is said to contain information about it.

Clicking on the document results in the LDR4 payload being downloaded and executed, once the mark follows the instructions given to run macros in the file.

“One of the most notable things during the analysis was that the developers had simplified and cleaned up various parts of the code, compared to previous variants,” the researchers wrote. “Most notably, its banking functionality has been completely removed.”

URSNIF, in its time as a banking malware, caused a lot of trouble for financial services institutions and their customers. During the extradition to America of Mihai Ionut Paunescu, a 37-year-old Romanian accused of creating URSNIF, US law enforcement says the malware infected more than a million people. Windows computers worldwide, including the United States. They estimated that it caused tens of millions of dollars in losses to government agencies, organizations and individuals.

PC users in countries including Germany, Britain, Poland, Italy and Turkey were also affected by the malware, which could log a victim’s keystrokes and steal personal information. identification to access their online bank accounts.

However, in 2020 the RM3 variant started to struggle. Distribution and backends, especially in Europe, collapsed and then failed to take advantage of the disruptions suffered by TrickBot and Emotet to increase its use.

“One of the biggest winners was the ICEDID malware family, which managed to take advantage of the diminishing competition in the banking malware landscape, putting RM3 in a difficult position,” the team wrote. Mandiant, adding that it was unusual for the ISFB variant of URSNIF – which spawned other variants including RM3 – to stop receiving updates after June 2020.

“Some researchers have speculated that the only way for this banking malware to return is with a major overhaul of its code.”

The last step in the fall of RM3 was Microsoft in June removing Internet Explorer from Windows. The variant depended on this browser for its network communication.

Mandiant analysts called LDR4 “an interesting mix of code refactoring, regressions and simplification strategies”. It no longer uses the custom PX executable format first provided with RM3, and a steganography tool called FJ.exe that was used in ISFB to hide multiple files in a single payload has disappeared or been reworked.

Then there is the migration to the new strategy – away from bank fraud to being the backdoor for other malware.

“The demise of the RM3 variant earlier this year and the authors’ decisions to make heavy simplifications to their code, including the removal of all bank-related features, indicate a dramatic shift in their previously observed TTPs. [tactics, techniques, and procedures]“, wrote the team.

“These changes may reflect increased focus by threat actors on participating in or enabling ransomware operations in the future.”

This was backed up when Mandiant analysts saw a cybercriminal in underground communities this year looking for partners to distribute new ransomware and the RM3 variant, which is similar to LDR4. ®