One of the oldest and most successful forms of banking malware has been repurposed into a backdoor trojan which has been described as “significantly dangerous” and likely to be used for ransomware attacks.
The new variant of Ursnif malware – also known as Gozi – has been detailed by researchers at security company Mandiant, who suggest it has been purposefully built to power ransomware and data theft attacks.
Designed to steal bank details, the first incarnation of malware appeared in 2006, and has caused tens of millions of dollars in losses, with the FBI describing it as “one of the most financially destructive computer viruses in history”. Since the original source code has leaked, which spawned several new variants which still plague victims to this day.
These versions of Ursnif have stuck with the goal of the original malware – stealing bank details. But according to analysis by Mandiant, that’s changed with a new variant – dubbed LDR4 – which has repurposed Ursnif into malware in the style of Trickbot and Emotet.
Attackers using the malware could steal data or use the backdoor to install ransomware, something which could cause much wider and much more severe damage than stealing bank details, and provide attackers with a much larger payday.
“LDR4 could be a significantly dangerous variant—capable of distributing ransomware—that should be watched closely,” Mandiant warned in a blog post.
The new variant was first seen in June this year and it’s distributed using the same method as previous Ursnif campaigns and many other malware attacks, via phishing emails.
Some of these phishing emails claim to be from a recruiter with an offer of a new opportunity. The messages claim that because of GDPR (General Data Protection Regulation), they can’t give out give out more information in the email, so the victim is urged to download a document to find out more. Others are distributed in messages which claim to contain an invoice which must be looked at urgently.
No matter what the lure looks like, if a user follows the instructions in the phishing email, it will result in the Ursnif payload being downloaded, which provides attackers with remote access to the machine.
“This is a significant shift from the malware’s original purpose to enable banking fraud, but is consistent with the broader threat landscape,” said Mandiant researchers.
While it’s a potentially dangerous malware, falling victim to this latest version of Ursnif is far from inevitable. As it arrives via phishing emails, organisations should do their best to ensure that protections are in place to identify and block malicious spam.
They should also make users aware of the risks of phishing emails, and keep them updated with the types of subjects which are used to lure victims in.
MORE ON CYBERSECURITY