• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

U.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog

 | 

UK NCA arrested four people over M&S, Co-op cyberattacks

 | 

PerfektBlue Bluetooth attack allows hacking infotainment systems of Mercedes, Volkswagen, and Skoda

 | 

Qantas data breach impacted 5.7 million individuals

 | 

DoNot APT is expanding scope targeting European foreign ministries

 | 

Nippon Steel Solutions suffered a data breach following a zero-day attack

 | 

Iranian group Pay2Key.I2P ramps Up ransomware attacks against Israel and US with incentives for affiliates

 | 

Hackers weaponize Shellter red teaming tool to spread infostealers

 | 

Microsoft Patch Tuesday security updates for July 2025 fixed a zero-day

 | 

Italian police arrested a Chinese national suspected of cyberespionage on a U.S. warrant

 | 

U.S. CISA adds MRLG, PHPMailer, Rails Ruby on Rails, and Synacor Zimbra Collaboration Suite flaws to its Known Exploited Vulnerabilities catalog

 | 

IT Worker arrested for selling access in $100M PIX cyber heist

 | 

New Batavia spyware targets Russian industrial enterprises

 | 

Taiwan flags security risks in popular Chinese apps after official probe

 | 

U.S. CISA adds Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog

 | 

Hunters International ransomware gang shuts down and offers free decryption keys to all victims

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 52

 | 

Security Affairs newsletter Round 531 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

North Korea-linked threat actors spread macOS NimDoor malware via fake Zoom updates

 | 

Critical Sudo bugs expose major Linux distros to local Root exploits

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Cyber Crime
  • Malware
  • News URSNIF variant doesn’t support banking features

News URSNIF variant doesn’t support banking features

Pierluigi Paganini October 21, 2022

A new variant of the popular Ursnif malware is used as a backdoor to deliver next-stage payloads and steal sensitive data.

Mandiant researchers warn of a significant shift from Ursnif‘s original purpose, the malware initially used in banking frauds is now used to deliver next-stage payloads and steal sensitive data.

The new variant, first observed in June 2022 and dubbed LDR4, is not a banking trojan, but a generic backdoor. 

“This is a significant shift from the malware’s original purpose to enable banking fraud, but is consistent with the broader threat landscape.” reads the report published by Mandiant.

“Mandiant believes that the same threat actors who operated the RM3 variant of URSNIF are likely behind LDR4. Given the success and sophistication RM3 previously had, LDR4 could be a significantly dangerous variant—capable of distributing ransomware—that should be watched closely.”

Ursnif is one of the most and widespread common threats today delivered through malspam campaigns. It appeared on the threat landscape in 2007 and gained popularity in 2014 when its source code was leaked online giving the opportunity to several threat actors to develop their own version.

ursnif

The attack chain associated with LDR4, starts with malspam messages using a recruitment-related lure. The email contains a link to a compromised website that redirects to a domain masquerading as a legitimate company. A CAPTCHA challenge is presented to download an Excel document purported to contain information related to the email lure. Upon opening the document, it will download and execute the LDR4 payload.

The analysis of the code of the latest variant revealed that the developers had totally removed the banking functionalities.

The communication protocol used by LDR4 is quite similar to the protocol used by the older RM3 variant.

The LDR4 variant has new configuration storage. Unlike previous URSNIF variants that used magic markers to locate additional files (joined files.) that were embedded into the binary the LDR4 variant introduces a new data structure for storing joined files.

Unlike previous URSNIF variants, LDR4 is not able to load plugins, instead, it was only observed downloading a VNC module via the LOAD_DLL command. 

“The LOAD_DLL command thus allows for a simpler, more generic way of providing a plugin-like feature by extending the features of the malware via arbitrary DLL modules (in contrast to regular plugin DLLs, which must be implemented in a specific way to work with the main malware).” continues the report. “Interestingly, the VNC module still uses an older way of storing its embedded configuration (using the J1 magic bytes), so it is possible that it was originally compiled for a different URSNIF variant (likely for IAP 2.0).”

The latest Ursnif variant includes a built-in command shell functionality which provides a reverse shell that connects to a remote IP address. The shell allows the attackers to execute system commands via the cmd.exe program. This functionality is the same supported by the RM3 variant provided via its separate cmdshell.dll plugin.

“URSNIF is the latest malware following the same path that EMOTET and TRICKBOT did before, by focusing into a new strategy and leaving behind its banking fraud legacy. LDR4 is the proof of that statement by removing all its banking malware features and modules and only focusing into getting VNC and/or remote shell into the compromised machine.” the researchers conclude.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ursnif)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

backdoor Cybercrime hacking news information security news IT Information Security malware Pierluigi Paganini Security Affairs Trojan Ursnif

you might also like

Pierluigi Paganini July 11, 2025
U.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog
Read more
Pierluigi Paganini July 10, 2025
UK NCA arrested four people over M&S, Co-op cyberattacks
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    U.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog

    Hacking / July 11, 2025

    UK NCA arrested four people over M&S, Co-op cyberattacks

    Cyber Crime / July 10, 2025

    PerfektBlue Bluetooth attack allows hacking infotainment systems of Mercedes, Volkswagen, and Skoda

    Hacking / July 10, 2025

    Qantas data breach impacted 5.7 million individuals

    Data Breach / July 10, 2025

    DoNot APT is expanding scope targeting European foreign ministries

    APT / July 10, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT