The banking malware family URSNIF has been around for over ten years, and it has been experiencing major changes in recent years. While this banking malware was initially associated with Haxdoor in the mid-2000s, it has gone through some interesting twists. In the mid-2010s, it considered dead, but RM3 took its place. These two banking malware families often intertwined. Today, RM3 is use as a mule ecosystem. There are multiple variants of URSNIF, each with its own unique name. While these variants have different names and royalties to them, they use the same two commands to perform various functions.
RM3
The RM3 variant is the most advanced branch of the ISFB malware family. It is design to work with PX payloads, which are only use with banking malware. It works with Internet Explorer as the network communication method. Moreover, it has a remote shell that can use to push other specialised tools. However, this flexibility can limit the impact of the malware. It is also important to note that RM3 is based on XLM 4.0 macros and is dependent on Excel document attachments to send commands and data. It believed that it last distributed via UNC2420 in April 2022. The newer LDR4 variant of URSNIF leaves banking fraud behind, and focuses on a more generic backdoor strategy.
LDR4
Earlier URSNIF variants not obfuscated, but with the new LDR4 variant, the malware is refactored to utilize code obfuscation techniques. For example, several the LDR4 variant’s decoy functions use random numbers for their values. This helps avoid overcomplicating troubleshooting. In addition, it incorporates obfuscation techniques for Windows API calls.
Unlike previous versions, the LDR4 version of URSNIF includes a checksum value in the table to quickly retrieve the function address. In addition, it restructures the data structure of joined files. The new data format enables to map JAMCRC32 checksums to virtual addresses in memory. This makes it possible to analyze the structure of the malware. In other words, it can be very easy to reverse engineer the LDR4 version of the malware.
The LDR4 variant of URSNIF introduces several refactorings and simplifications. It no longer uses a custom PX executable format, but a hash lookup table. It also restructures the way base64 beacons sent. Originally, these beacons stored as POST requests. Since they now sent as data, they can analyze more easily. The LDR4 version has also introduced a new data structure for joined files. This data structure is use to merge strings with encrypted.bss.
Despite the change in URSNIF, TAs are still maintaining their C&C infrastructure. In fact, some of these TAs are doing so even though they are not delivering any campaigns. They are still managing the bots, inspecting them, and performing fraud on interesting targets. This could be an indication that a change in their working pattern has occurred. In addition, RM3 controllers who are not delivering any new campaigns are still delivering updates to the bots they manage. They may be performing stealth operations to prevent detection and reduce the risk of a successful attack.
