News URSNIF variant doesn’t support banking features

Pierluigi Paganini October 21, 2022

A new variant of the popular Ursnif malware is used as a backdoor to deliver next-stage payloads and steal sensitive data.

Mandiant researchers warn of a significant shift from Ursnif‘s original purpose, the malware initially used in banking frauds is now used to deliver next-stage payloads and steal sensitive data.

The new variant, first observed in June 2022 and dubbed LDR4, is not a banking trojan, but a generic backdoor. 

“This is a significant shift from the malware’s original purpose to enable banking fraud, but is consistent with the broader threat landscape.” reads the report published by Mandiant.

“Mandiant believes that the same threat actors who operated the RM3 variant of URSNIF are likely behind LDR4. Given the success and sophistication RM3 previously had, LDR4 could be a significantly dangerous variant—capable of distributing ransomware—that should be watched closely.”

Ursnif is one of the most and widespread common threats today delivered through malspam campaigns. It appeared on the threat landscape in 2007 and gained popularity in 2014 when its source code was leaked online giving the opportunity to several threat actors to develop their own version.


The attack chain associated with LDR4, starts with malspam messages using a recruitment-related lure. The email contains a link to a compromised website that redirects to a domain masquerading as a legitimate company. A CAPTCHA challenge is presented to download an Excel document purported to contain information related to the email lure. Upon opening the document, it will download and execute the LDR4 payload.

The analysis of the code of the latest variant revealed that the developers had totally removed the banking functionalities.

The communication protocol used by LDR4 is quite similar to the protocol used by the older RM3 variant.

The LDR4 variant has new configuration storage. Unlike previous URSNIF variants that used magic markers to locate additional files (joined files.) that were embedded into the binary the LDR4 variant introduces a new data structure for storing joined files.

Unlike previous URSNIF variants, LDR4 is not able to load plugins, instead, it was only observed downloading a VNC module via the LOAD_DLL command. 

“The LOAD_DLL command thus allows for a simpler, more generic way of providing a plugin-like feature by extending the features of the malware via arbitrary DLL modules (in contrast to regular plugin DLLs, which must be implemented in a specific way to work with the main malware).” continues the report. “Interestingly, the VNC module still uses an older way of storing its embedded configuration (using the J1 magic bytes), so it is possible that it was originally compiled for a different URSNIF variant (likely for IAP 2.0).”

The latest Ursnif variant includes a built-in command shell functionality which provides a reverse shell that connects to a remote IP address. The shell allows the attackers to execute system commands via the cmd.exe program. This functionality is the same supported by the RM3 variant provided via its separate cmdshell.dll plugin.

“URSNIF is the latest malware following the same path that EMOTET and TRICKBOT did before, by focusing into a new strategy and leaving behind its banking fraud legacy. LDR4 is the proof of that statement by removing all its banking malware features and modules and only focusing into getting VNC and/or remote shell into the compromised machine.” the researchers conclude.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ursnif)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment