"New URSNIF Variant Doesn't Support Banking Features"

Mandiant researchers are warning of a major shift from URSNIF's original purpose, with the malware now used to deliver next-stage payloads and steal sensitive data. The malware was initially used in banking fraud. The new variant, dubbed LDR4, was discovered in June 2022 and is not a banking Trojan, but rather a generic backdoor. Mandiant believes that the same threat actors who were responsible for the RM3 variant of URSNIF are also responsible for LDR4. Given the previous success and sophistication of RM3, LDR4 could be a significantly dangerous variant capable of distributing ransomware that should be closely monitored. URSNIF is one of the most common threats delivered today via malspam campaigns. It first appeared on the threat landscape in 2007 and gained popularity in 2014 after its source code was leaked online, allowing several threat actors to create their own versions. The most recent URSNIF variant includes built-in command shell functionality that allows for a reverse shell connection to a remote IP address. The shell enables attackers to run system commands using the cmd.exe program. The RM3 variant also supports this functionality via its own cmdshell.dll plugin. This article continues to discuss researchers' findings regarding the new URSNIF variant.

Security Affairs reports "New URSNIF Variant Doesn't Support Banking Features"