• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

U.S. CISA adds Cisco ISE and PaperCut NG/MF flaws to its Known Exploited Vulnerabilities catalog

 | 

Critical WordPress Post SMTP plugin flaw exposes 200K+ sites to full takeover

 | 

Scattered Spider targets VMware ESXi in using social engineering

 | 

China-linked group Fire Ant exploits VMware and F5 flaws since early 2025

 | 

Allianz Life data breach exposed the data of most of its 1.4M customers

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 55

 | 

Security Affairs newsletter Round 534 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Law enforcement operations seized BlackSuit ransomware gang’s darknet sites

 | 

Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme

 | 

Operation CargoTalon targets Russia’s aerospace with EAGLET malware,

 | 

Unpatched flaw in EoL LG LNV5110R cameras lets hackers gain Admin access

 | 

Koske, a new AI-Generated Linux malware appears in the threat landscape

 | 

Mitel patches critical MiVoice MX-ONE Auth bypass flaw

 | 

Coyote malware is first-ever malware abusing Windows UI Automation

 | 

SonicWall fixed critical flaw in SMA 100 devices exploited in Overstep malware attacks

 | 

DSPM & AI Are Booming: $17.87B and $4.8T Markets by 2033

 | 

Stealth backdoor found in WordPress mu-Plugins folder

 | 

U.S. CISA adds CrushFTP, Google Chromium, and SysAid flaws to its Known Exploited Vulnerabilities catalog

 | 

U.S. CISA urges FCEB agencies to fix two Microsoft SharePoint flaws immediately and added them to its Known Exploited Vulnerabilities catalog

 | 

Sophos fixed two critical Sophos Firewall vulnerabilities

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Cyber Crime
  • Malware
  • News URSNIF variant doesn’t support banking features

News URSNIF variant doesn’t support banking features

Pierluigi Paganini October 21, 2022

A new variant of the popular Ursnif malware is used as a backdoor to deliver next-stage payloads and steal sensitive data.

Mandiant researchers warn of a significant shift from Ursnif‘s original purpose, the malware initially used in banking frauds is now used to deliver next-stage payloads and steal sensitive data.

The new variant, first observed in June 2022 and dubbed LDR4, is not a banking trojan, but a generic backdoor. 

“This is a significant shift from the malware’s original purpose to enable banking fraud, but is consistent with the broader threat landscape.” reads the report published by Mandiant.

“Mandiant believes that the same threat actors who operated the RM3 variant of URSNIF are likely behind LDR4. Given the success and sophistication RM3 previously had, LDR4 could be a significantly dangerous variant—capable of distributing ransomware—that should be watched closely.”

Ursnif is one of the most and widespread common threats today delivered through malspam campaigns. It appeared on the threat landscape in 2007 and gained popularity in 2014 when its source code was leaked online giving the opportunity to several threat actors to develop their own version.

ursnif

The attack chain associated with LDR4, starts with malspam messages using a recruitment-related lure. The email contains a link to a compromised website that redirects to a domain masquerading as a legitimate company. A CAPTCHA challenge is presented to download an Excel document purported to contain information related to the email lure. Upon opening the document, it will download and execute the LDR4 payload.

The analysis of the code of the latest variant revealed that the developers had totally removed the banking functionalities.

The communication protocol used by LDR4 is quite similar to the protocol used by the older RM3 variant.

The LDR4 variant has new configuration storage. Unlike previous URSNIF variants that used magic markers to locate additional files (joined files.) that were embedded into the binary the LDR4 variant introduces a new data structure for storing joined files.

Unlike previous URSNIF variants, LDR4 is not able to load plugins, instead, it was only observed downloading a VNC module via the LOAD_DLL command. 

“The LOAD_DLL command thus allows for a simpler, more generic way of providing a plugin-like feature by extending the features of the malware via arbitrary DLL modules (in contrast to regular plugin DLLs, which must be implemented in a specific way to work with the main malware).” continues the report. “Interestingly, the VNC module still uses an older way of storing its embedded configuration (using the J1 magic bytes), so it is possible that it was originally compiled for a different URSNIF variant (likely for IAP 2.0).”

The latest Ursnif variant includes a built-in command shell functionality which provides a reverse shell that connects to a remote IP address. The shell allows the attackers to execute system commands via the cmd.exe program. This functionality is the same supported by the RM3 variant provided via its separate cmdshell.dll plugin.

“URSNIF is the latest malware following the same path that EMOTET and TRICKBOT did before, by focusing into a new strategy and leaving behind its banking fraud legacy. LDR4 is the proof of that statement by removing all its banking malware features and modules and only focusing into getting VNC and/or remote shell into the compromised machine.” the researchers conclude.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ursnif)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

backdoor Cybercrime hacking news information security news IT Information Security malware Pierluigi Paganini Security Affairs Trojan Ursnif

you might also like

Pierluigi Paganini July 28, 2025
U.S. CISA adds Cisco ISE and PaperCut NG/MF flaws to its Known Exploited Vulnerabilities catalog
Read more
Pierluigi Paganini July 28, 2025
Critical WordPress Post SMTP plugin flaw exposes 200K+ sites to full takeover
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    U.S. CISA adds Cisco ISE and PaperCut NG/MF flaws to its Known Exploited Vulnerabilities catalog

    Security / July 28, 2025

    Critical WordPress Post SMTP plugin flaw exposes 200K+ sites to full takeover

    Security / July 28, 2025

    Scattered Spider targets VMware ESXi in using social engineering

    Cyber Crime / July 28, 2025

    China-linked group Fire Ant exploits VMware and F5 flaws since early 2025

    Hacking / July 28, 2025

    Allianz Life data breach exposed the data of most of its 1.4M customers

    Data Breach / July 27, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT