Security News > 2022 > October > Ursnif malware switches from bank account theft to initial access
A new version of the Ursnif malware emerged as a generic backdoor, stripped of its typical banking trojan functionality.
Codenamed "LDR4," the new variant was spotted on June 23, 2022, by researchers at incident response company Mandiant, who believe that it's being distributed by the same actors that maintained the RM3 version of the malware over the past years.
Mandiant's analysts dissecting LDR4 noticed that all banking features have been removed from the new Ursnif variant and its code has been cleaned and simplified.
Upon execution, the new Ursnif collects system service data from the Windows registry and generate a user and a system ID. Next, it connects to the command and control server using an RSA key available in the configuration file.
The built-in command shell system that uses a remote IP address to establish a reverse shell isn't new, but now it is embedded into the malware binary instead of using an additional module, as did the previous variants.
With the latest version, Ursnif LDR4 operators appear to have improved the code for a more specific task, that of an initial compromise tool that opens the door for other malware.