[ad_1]
URSNIF, a malware also known as Gozi that attempts to steal online banking credentials from a victim’s Windows PC, has evolved to support extortion software.
As one of the oldest banking Trojans dating back to the mid-2000s, the nasty software has numerous variants and goes by several names such as URSNIF, Gozi and ISFB. It intersects with other malware families, having its source code leaked twice since 2016, and according to Mandiant, it’s now a “set of related siblings” rather than a single malware family.
We have also seen alleged masterminds brought to US courts. After being arrested in Romania in 2012 and released on bail, he fled Colombia.
Whoever is behind URSNIF is following in the footsteps of the developers of other malware families such as Emotet, TrickBot, and Qakbot. They strip off their past of stealing banking information and become backdoors for infected machines, ransomware and data-stealing payloads for bad guys.
In a report this week, Mandiant researchers Sandor Nemes, Sulian Lebegue, and Jessa Valdez found that the RM3 version of the URSNIF strain is no longer a banking Trojan, but a common virus similar to the short-lived Saigon variant. It writes that it is a backdoor.
This backdoor can be used to run ransomware, data exfiltration, and other horrible crap on infected computers.
“While this is a significant shift from the malware’s original purpose of enabling bank fraud, it is consistent with the broader threat landscape,” the researchers wrote, adding that “the RM3 variant of URSNIF We believe it is likely that the same threat actor who operated it is behind it,” he added. [the] LDR4 [variant]Given the success and sophistication of the previous RM3, LDR4 could be a very dangerous variant capable of distributing ransomware and should be monitored closely. ”
Ransomware (and now data extortion, where attackers steal files from victims and threaten to leak them if demanded money is not paid) are now ubiquitous. Threat intelligence firm Intel 471 found he had more than 1,500 ransomware infections in his first three quarters alone this year.
Ransomware attacks can cost businesses and their insurers millions of dollars, so it’s no surprise that established cybercrime crews are moving in that direction. URSNIF, which contains seeds, seems to do just that.
Mandiant first detected LDR4 in the wild on June 23 after analyzing suspicious emails similar to those used by RM3 a year earlier. The email contains a link to a malicious website that redirects the victim to a site masquerading as a legitimate business to download a Microsoft Excel document believed to be related to the content of the email. contains a CAPTCHA challenge for If the email is about a job offer, the document is said to contain information about it.
Clicking on the document will download and execute the LDR4 payload. Executing the macros in the file following the marked instructions will execute the LDR4 payload.
“One of the most notable things during our analysis is that the developers have simplified and cleaned up various parts of the code compared to previous variants,” the researchers wrote. “Most notably, its banking function has been completely abolished.”
URSNIF caused many problems for financial services institutions and their customers when it emerged as banking malware. Upon extradition to the United States of his 37-year-old Romanian Mihai Ionut Paunescu, accused of creating URSNIF, US law enforcement officials said the malware had infected more than 1 million of his Windows computers around the world, including the United States. You said your computer was infected. They estimate that tens of millions of dollars have been lost to government agencies, organizations and individuals.
PC users in countries such as Germany, the United Kingdom, Poland, Italy, and Turkey can also fall victim to malware that records victim keystrokes and steals credentials to compromise online banking accounts.
However, in 2020 the RM3 variant started to struggle. Especially in Europe, distros and backends have collapsed, and they have not been able to take advantage of the mess caused by TrickBot and his Emotet to increase its usage.
“One of the biggest winners in this has been the ICEDID malware family, which has taken advantage of the reduced competition in the banking malware landscape and put RM3 in a difficult position,” the Mandiant team wrote, referring to URSNIF’s ISFB. I added that it is unusual for a subspecies. It spawned other variants including RM3 to stop getting updates after June 2020.
“Some researchers hypothesized that the only way this banking malware could be resurrected would be to overhaul its code.”
The final step in the fall of RM3 was Microsoft’s removal of Internet Explorer from Windows in June. This variant relied on the browser for network communication.
A Mandiant analyst called LDR4 “a combination of code refactoring, regressions, and interesting simplification strategies.” The custom PX executable format first introduced in RM3 is no longer used, and the steganography tool called FJ.exe used by ISFB to hide multiple files in a single payload has been removed or reworked. increase.
Then there is the shift from bank fraud to new strategies of becoming a backdoor for other malware.
“The demise of the RM3 variant earlier this year and the authors’ decision to greatly simplify the code, including removing all banking-related functionality, marks a dramatic shift in TTP previously observed. . [tactics, techniques, and procedures]’” the team wrote.
“These changes may reflect threat actors’ growing interest in participating in or conducting ransomware operations in the future.”
This was supported by Mandiant analysts earlier this year when they discovered cybercriminals seeking partners to distribute new ransomware and LDR4-like variants of RM3 in underground communities. ®
[ad_2]
Source link
