This old malware has been rebuilt with new features to use in ransomware attacks

A 'significant shift' by malware that has existed for more than 15 years demonstrates the changing threat landscape, warn cybersecurity researchers.
Written by Danny Palmer, Senior Writer
Image: Getty

One of the oldest and most successful forms of banking malware has been repurposed into a backdoor trojan that has been described as "significantly dangerous" and likely to be used for ransomware attacks. 

The new variant of Ursnif malwarealso known as Gozi – has been detailed by researchers at security company Mandiant, who suggest it has been purposefully built to power ransomware and data-theft attacks. 

Designed to steal bank details, the first incarnation of malware appeared in 2006, and has caused tens of millions of dollars in losses, with the FBI describing it as "one of the most financially destructive computer viruses in history". Since then, the original source code has leaked, which spawned several new variants that still plague victims to this day. 

Also: The scary future of the internet: How the tech of tomorrow will pose even bigger cybersecurity threats

These versions of Ursnif have stuck with the goal of the original malware – stealing bank details. But according to analysis by Mandiant, that's changed with a new variant – dubbed LDR4 – which has repurposed Ursnif into malware in the style of Trickbot and Emotet

Attackers using the malware could steal data or use the backdoor to install ransomware, something that could cause much wider and more severe damage than stealing bank details, and provide attackers with a much larger payday.  

"LDR4 could be a significantly dangerous variant – capable of distributing ransomware – that should be watched closely," Mandiant warned in a blog post

The new variant was first seen in June this year and it's distributed using the same method as previous Ursnif campaigns and many other malware attacks, via phishing emails

Some of these phishing emails claim to be from a recruiter with an offer of a new opportunity. The messages claim that, because of the General Data Protection Regulation, they can't give out give out information in the email, so the victim is urged to download a document to find out more. Others are distributed in messages, which claim to contain an invoice that must be looked at urgently. 

No matter what the lure looks like, if a user follows the instructions in the phishing email, it will result in the Ursnif payload being downloaded, which provides attackers with remote access to the machine. 

"This is a significant shift from the malware's original purpose to enable banking fraud, but is consistent with the broader threat landscape," said Mandiant researchers. 

While it's a potentially dangerous malware, falling victim to this latest version of Ursnif is far from inevitable. As it arrives via phishing emails, organisations should do their best to ensure that protections are in place to identify and block malicious spam. 

They should also make users aware of the risks of phishing emails, and keep them updated with the types of subjects that are used to lure victims in. 


Editorial standards