HQ/EMEAFind out how we can help your business
The Ursnif threat group has deployed numerous banking trojans in different campaigns since 2020. However, the group has recently become more prevalent as it rolls out new malware variants that contain generic backdoor features.
Based on reports, cybersecurity researchers first uncovered the newly deployed variant last June and called it LDR4. The researchers noted that its code had been cleaned and simplified by its authors. The threat actors have removed all banking features to make it as basic as possible.
Ursnif’s LDR4 backdoor currently has simple functions and modules focusing on acquiring initial access to a targeted device. In addition, this malware can bypass security detections since it has a DLL format. Aside from the DLL format, it is also packed by potable executable crypters signed with legitimate certificates.
The new malware variant from the Ursnif group could efficiently execute a standard threat campaign.
The LDR4 backdoor from the Ursnif group could harvest system service data from the Windows registry. It generates a user and a system ID to retrieve and run various commands on a targeted system upon execution.
A successful initial compromise from this campaign paves the way for threat actors to execute additional attacks such as data theft, ransomware, and extortion.
Currently, fake job offers through email baits are the primary vector for propagating the LDR4 variant. These baits from the threat actors include an attached link that leads to a website that spoofs a legitimate firm.
The website will then prompt the potential victims to solve a CAPTCHA to download an Excel document that downloads and runs the backdoor from a remote resource. The malware authors are discovered to be utilising bait for accounting software to provide the payload.
The previous banking trojans from old Ursnif variants include a complex attack process for sophisticated campaigns. However, the recent LDR4 variant has a simplified attack process that provides basic attack features such as code refactoring and regressions.
As seen effective by the authors, other backdoors may likely adopt this strategy to have a streamlined threat campaign to small-time targets or big-time organisations soon.
