CyberMoransđ€
From its humble beginnings, Gozi â Similarly to Emotetđ€ â grew into a multi-module, multi-purpose malicious platform, and many of the modern derivatives of Kuzminâs original work are still being actively used in malicious campaigns as of 2021â ïž Thatâs 14 years of activity â several times the average lifespan of a malware brandđ°
Also known as reambot, CRM, and SnifuRM3, ISFB, Ursnif, Dla, Gozi can be considered as a group of malware families which are based on the same malicious codebaseđ€ Historically, it has been known as one of the most widely spread and longest-standing Banking Trojans with more than 14 years of activityđš
A new version of the Gozi malwaređ (a.k.a. Ursnif) emerged as a generic backdoor, stripped of its typical banking trojan functionality. These changes could indicate that the operators of the new version are focusing on distributing ransomwaređ
Codenamed âLDR4,â the new variant was spotted on June 23, 2022, by researchers at incident response company Mandiant, who believe that it's being distributed by the same actors that maintained the RM3 version of the malware over the past yearsđ„
The New Gozi campaignđ€
The Ursnif LDR4 variant is delivered via fake job offer emails containing a link to a website that impersonates a legitimate company. This tactic of posing as a job recruiters is not new for the Gozi gang, who has has used this strategy before.
Visitors of the malicious site are requested to solve a CAPTCHA challenge to download an Excel document with macro code that fetches the malware payload from a remote resourceđ
đThe malicious Excel document used in the current campaign (Mandiant)
The LDR4 variant comes in DLL form (âloader.dllâ) and is packed by portable executable crypters and signed with valid certificatesđźââïž. This helps it evade detection from security tools on the systemđ„·
Mandiantâs analysts dissecting LDR4 noticed that all banking features have been removed 𩮠from the new Ursnif variant and its code has been cleaned and simplified.
Backdoor erađ€
Upon execution, the new Ursnif collects system service data from the Windows registry and generate a user and a system ID. Next, it connects to the command and control server using an RSA key available in the configuration fileđ§ Then it attempts to retrieve a list of commands to execute on the hostđ
đPOST request sent by Ursnif to the C2 server (Mandiant)
The commands supported by the LDR4 variant are the followingđ
đ Load a DLL module into the current process
đ Retrieve the state of the cmd.exe reverse shell
đ Start the cmd.exe reverse shell
đ Stop the cmd.exe reverse shell
đ Restart the cmd.exe reverse shell
đ Run an arbitrary command
đ Terminate
The built-in command shell system that uses a remote IP addressđ€ to establish a reverse shell isnât new, but now it is embedded into the malware binary instead of using an additional module, as did the previous variants. The plugin system has also been eliminated, as the command to load a DLL module into the current process can extend the malwareâs capabilities as neededđ
With the latest version, Gozi LDR4 operatorsđ appear to have improved the code for a more specific task, that of an initial compromise tool that opens the door for other malware. Mandiant notes that ransomware operations is likely the direction the developers are heading to, as researchers identified on an underground hacker community a threat actor looking for partnersđ to distribute ransomware and the RM3 version of Ursnif/Goziđ„
Sourced: Bleepingcomputer
Conclusion đ€
Subscribe to receive notifications of similar posts đ where we will be reverse engineering malware and the technical aspect of vulnerabilities as well as how an attacker may use this vulnerability as an attack vector and other Infosec stuff...đ
Morans,
Thank you for your time, Like and leave a comment/review and as always, stay awesome! đđ đȘ