Security News > 2022 > October > Good news, URSNIF no longer a banking trojan. Bad news, it's now a backdoor

As one of the oldest banking trojans - dating back to the mid-2000s - the software nasty has a number of variants and been given a few monikers, including URSNIF, Gozi, and ISFB. It's crossed paths with other malware families, had its source code leaked twice since 2016 and, according to Mandiant, is now less a single malware family than a "Set of related siblings."

In a report this week, Mandiant researchers Sandor Nemes, Sulian Lebegue, and Jessa Valdez wrote that a strain of URSNIF's RM3 version is no longer a banking trojan but a generic backdoor, similar to the short-lived Saigon variant.

"This is a significant shift from the malware's original purpose to enable banking fraud, but is consistent with the broader threat landscape," the researchers wrote, adding that they believe "The same threat actors who operated the RM3 variant of URSNIF are likely behind [the] LDR4 [variant]. Given the success and sophistication RM3 previously had, LDR4 could be a significantly dangerous variant - capable of distributing ransomware - that should be watched closely."

"One of the greatest winners of this was the ICEDID malware family, which managed to leverage the shrinking competition on the banking malware landscape, putting RM3 into a difficult position," the Mandiant team wrote, adding it was unusual for URSNIF's ISFB variant - which spawned other variants, including RM3 - to stop getting updates after June 2020.

Then there is the migration to the new strategy - away from banking fraud to being the backdoor for other malware.

"The demise of the RM3 variant earlier this year, and the authors' decisions to make heavy simplifications to their code, including the removal of all banking related features, point toward a drastic change in their previously observed TTPs ," the team wrote.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/10/21/ursnif_trojan_shift_ransomware/