Since its emergence in the mid-2000s, Ursnif (aka. Gozi or Gozi/ISFB) malware has launched multiple banking trojan campaigns. Much recently, Ursnif has rolled out a new variant with generic backdoor capabilities.
Here are the details
Mandiant researchers first found this variant in June and named it LDR4. Its code has been cleaned and simplified and all banking features have been removed.
- The LDR4 backdoor’s features and modules focus on getting initial access to the compromised machine.
- The malware is capable of evading detection as it comes in DLL format and is packed by portable executable crypters, also signed with valid certificates.
- It collects system service data from the Windows registry and, upon execution, generates a user and a system ID to fetch and execute various commands on the host system.
- Successful initial compromise opens up the scope for other ransomware and data theft extortion operations.