Updated on 2022-12-15: When doxxing a cybercrime group pays off
An anonymous Twitter account doxxed members of the URSNIF malware operation, apparently in a plain old extortion attempt. The account outed three of URSNIF’s members before being paid off. “I just made more money in a single week than I have made in years. Pay workers right and they won’t have a reason to leak s***”, the account tweeted.
I just made more money in a single week than I have made in years.
Pay workers right and they wont have a reason to leak shit.
— URSNIFleak (@URSNIFleak) December 9, 2022
Updated on 2022-10-24: More on URSNIF (Gozi/IFSB)
After Mandiant’s report last week on URSNIF and its pivot from a banking trojan to a modular backdoor malware, CSIS researchers will also publish on Monday a report on the malware’s technical underlayers and the gang behind it. Read more: From RM3 to LDR4: URSNIF Leaves Banking Fraud Behind
Overview: URSNIF goes from banking trojan to backdoor, dreaming of ransomware profits
Researchers from security firm Mandiant have reported this week that URSNIF (aka Gozi, or Gozi/IFSB), one of the oldest and last few remaining banking trojan operations that were still active this year, has completely ditched its banking fraud-related features and now appears to operate as a basic backdoor trojan, the type of barebones malware typically used in Access-as-a-Service (AaaS) schemes that rent access to compromised devices.
According to Mandiant, the change took place earlier this year, in June, when URSNIF developers started distributing a new URSNIF version tracked under a codename of LDR4.
Mandiant cites several reasons for URSNIF’s new radical redesign. At least two leaks of its codebase, multiple branches of the same codebase that had slowly diverged and were making it harder to support features across different botnets, but also an ancient codebase that had finally reached the end of the road when IE was removed from Windows.
“In June 2022, with Internet Explorer finally being fully removed from Microsoft Windows, the RM3 variant was officially seen as a “dead” malware from a technical point of view, as RM3 was reliant on this browser for some of its critical network communication.”
Honestly, it’s a surprise that URSNIF lasted this long still operating on a banking trojan model. It had become obvious in the mid-2010s that the banking malware scene was dying, at least on the desktop.
Banks, tired of a decade of heists from customer accounts, had rolled out advanced multi-factor authentication and transaction verification systems. While not foolproof, these systems did their job and made it more time-consuming for banking malware operators to steal money from compromised accounts.
Today, it’s very hard to list a banking trojan off the top of my head and without googling it first.
Emotet and TrickBot converted their codebases from banking trojans to generic modular backdoors back in 2016, being some of the first to do so. Even if they kept their banking modules around, Dridex and Qbot also followed suit in subsequent years.
The driving force behind this shift in malware economics was the rise of ransomware and enterprise network big-game hunting. As ransomware operators realized they could extort an obscene amount of money from companies and government networks, they started to look for ways into these networks.
This initially led to the rise of a market for initial access brokers, smaller threat actors that typically exploited corporate networking and server gear, where they planted backdoors and then sold access to these systems to ransomware gangs and their affiliates.
EvilCorp was the first major botnet operator to realize they could use their banking trojan to drop ransomware inside the thousands of corporate networks they had at their disposal through the Dridex botnet and even launched internal teams to write and deploy their own internal forms of ransomware.
Because Dridex operated on a closed model, providing limited access to their botnet to only a handful of very carefully vetted operators, Emotet, and later TrickBot, cornered the market in MaaS services working with ransomware gangs.
Once law enforcement cracked down on the two, IcedID and Qbot stepped in as handy replacements after years of slowly growing in their shadows.
The world of underground malware is not that hard to understand if we dispel all the CTI mumbo-jumbo and we are really honest. It’s all about the minimum amount of work you can perform for the largest profit. Banking/carding is now hard, thanks to banks, and ransomware is easy, thanks to a bazillion reasons.
There are literally no good reasons to run a banking botnet these days, especially one as old and complicated as URSNIF, when you can just manage a simple backdoor, spam bored corporate employees until they infect themselves, and then sell access to ransomware or cryptomining gangs for a cut of the profits.
But enough explaining basic cybercrime economics. What this means going forward for the readers of this newsletter, many of which are most likely tasked with defending networks, is that URSNIF infections now need to be treated with the same urgency as we once used to treat Emotet and Trickbot. Once it’s in your network, you need to get it out ASAP, as you never know when that infected system might end up deploying ransomware to your network. If we take stats from previous IR reports, this might be somewhere from 30 minutes and up to an hour. Sure, Mandiant hasn’t linked any URSNIF incident with a confirmed ransomware attack, but the writing’s on the wall as clear as day.