One of the oldest and most successful forms of banking malware has been repurposed into a backdoor trojan that has been described as "significantly dangerous" and likely to be used for ransomware attacks.
Designed to steal bank details, the first incarnation of malware appeared in 2006, and has caused tens of millions of dollars in losses, with the FBI describing it as "one of the most financially destructive computer viruses in history". Since then, the original source code has leaked, which spawned several new variants that still plague victims to this day.
These versions of Ursnif have stuck with the goal of the original malware – stealing bank details. But according to analysis by Mandiant, that's changed with a new variant – dubbed LDR4 – which has repurposed Ursnif into malware in the style of Trickbot and Emotet.
Attackers using the malware could steal data or use the backdoor to install ransomware, something that could cause much wider and more severe damage than stealing bank details, and provide attackers with a much larger payday.
"LDR4 could be a significantly dangerous variant – capable of distributing ransomware – that should be watched closely," Mandiant warned in a blog post.
The new variant was first seen in June this year and it's distributed using the same method as previous Ursnif campaigns and many other malware attacks, via phishing emails.
Some of these phishing emails claim to be from a recruiter with an offer of a new opportunity. The messages claim that, because of the General Data Protection Regulation, they can't give out give out information in the email, so the victim is urged to download a document to find out more. Others are distributed in messages, which claim to contain an invoice that must be looked at urgently.
No matter what the lure looks like, if a user follows the instructions in the phishing email, it will result in the Ursnif payload being downloaded, which provides attackers with remote access to the machine.
"This is a significant shift from the malware's original purpose to enable banking fraud, but is consistent with the broader threat landscape," said Mandiant researchers.
While it's a potentially dangerous malware, falling victim to this latest version of Ursnif is far from inevitable. As it arrives via phishing emails, organisations should do their best to ensure that protections are in place to identify and block malicious spam.