The Ursnif malware has become the latest malware to shed its roots as a banking trojan to revamp itself into a generic backdoor capable of delivering next-stage payloads, joining the likes of Emotet, Qakbot, and TrickBot.
“This is a significant shift from the malware’s original purpose to enable banking fraud, but is consistent with the broader threat landscape,” Mandiant researchers Sandor Nemes, Sulian Lebegue, and Jessa Valdez disclosed in a Wednesday analysis.
The refreshed and refactored variant, first spotted by the Google-owned threat intelligence firm in the wild on June 23, 2022, has been codenamed LDR4, in what’s being seen as an attempt to lay the groundwork for potential ransomware and data theft extortion operations.
Ursnif, also called Gozi or ISFB, is one of the oldest banker malware families, with the earliest documented attacks going as far back as 2007. Check Point, in August 2020, mapped the “divergent evolution of Gozi” over the years, while pointing out its fragmented development history.
images from Hacker News