A new version of the Ursnif malware (a.k.a. Gozi) emerged as a generic backdoor, stripped of its specific banking trojan functionality. This change could indicate that the operators of the new version are focusing on distributing ransomware. Codenamed "LDR4," the new variant was spotted on June 23, 2022, by researchers at incident response company Mandiant, who believe that it's being distributed by the same actors that maintained the RM3 version of the malware over the past years. The Ursnif LDR4 variant is delivered via fake job offer emails containing a link to a website that impersonates a legitimate company.
Upon execution, the new Ursnif collects system service data from the Windows registry and generates a user and a system ID. Next, it connects to the command and control server using an RSA key available in the configuration file. Then it attempts to retrieve a list of commands to execute on the host. The built-in command shell system that uses a remote IP address to establish a reverse shell isn't new. Still, now it is embedded into the malware binary instead of using an additional module, as did the previous variants. The plugin system has also been eliminated, as the command to load a DLL module into the current process can extend the malware's capabilities as needed.
One example observed by Mandiant is the VNC (virtual network computing) module ("vnc64_1.dll"), which gives LDR4 the ability to perform "hands-on" attacks on compromised systems. With the latest version, Ursnif LDR4 operators appear to have improved the code for a more specific task, that of an initial compromise tool that opens the door for other malware. Mandiant notes that ransomware operations is likely the direction the developers are heading, as researchers identified on an underground hacker community a threat actor looking for partners to distribute ransomware and the RM3 version of Ursnif."
Visitors of the malicious site are requested to solve a CAPTCHA challenge to download an Excel document with macro code that fetches the malware payload from a remote resource. The LDR4 variant comes in DLL form (“loader.dll”), is packed by portable executable crypters, and is signed with valid certificates. This helps it evade detection from security tools on the system. Mandiant’s analysts dissecting LDR4 noticed that all banking features have been removed from the new Ursnif variant, and its code has been cleaned and simplified.
For mitigation, make sure macros are disabled in your Microsoft Office applications. In enterprises, IT admins set the default setting for macros:
- Disable macros in Office documents
- Don't open suspicious emails or suspicious attachments.
- Delete any emails from unknown people or with suspicious content. Spam emails are the main way macro malware spreads.
- Enterprises can prevent macro malware from running executable content using ASR rules