CyberWire Daily - Old malware returns in a new way. [Research Saturday]
Episode Date: December 3, 2022Jeremy Kennelly and Sulian Lebegue from Mandiant sit down with Dave to discuss their research "From RM3 to LDR4: URSNIF Leaves Banking Fraud Behind? One of the oldest and most successful banking fraud... malwares, URSNIF, which caused an estimated “tens of millions of dollars in losses”, has been discovered by researchers to have been re-tooled into a generic backdoor, dubbed “LDR4”. This new varient was first observed in June 2022. Mandiant researchers believe that the same threat actors who operated the RM3 variant of URSNIF are likely behind LDR4. They say "given the success and sophistication RM3 previously had, LDR4 could be a significantly dangerous variant—capable of distributing ransomware—that should be watched closely." The research can be found here: From RM3 to LDR4: URSNIF Leaves Banking Fraud Behind Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation
with researchers and analysts,
tracking down the threats and vulnerabilities,
solving some of the hard problems of protecting ourselves
in a rapidly evolving cyberspace.
Thanks for joining us.
Well, initially, it was a discovery made by Sulian and team.
So they had identified this new variant of Ersniff.
The team itself has, you know, for a long time, you know, done research into that malware family.
And I think that we even had some of the initial research on the last publicly disclosed variant, which was Saigon, which was fairly short-lived.
Our guests this week are Jeremy Kennelly and Souleyhan Lebeg from Mandiant.
The research is titled From RM3 to LDR4.
Ersniff leaves banking fraud behind. In June 2022, we catch a new campaign wave.
That's Souleyan Lebesgue. that it's a classic big mail where the content was some human resource
recruitment from a company called Michael Page.
And Michael Page, for those who are unaware,
it was also the same kind of pattern used by RM3 marking malware.
And the thing that catch us,
it's we were supposed to see an RN3 payload
for this marking malware.
Weirdly, we saw that on our side,
our monitoring was not able to identify it.
So we did a deeper investigation into it
and we realized that it was
a totally new branch of this
banking malware.
And the fact it was even old,
it's in fact,
there was not anymore
any banking features inside,
but it was just remodeled
as a simplified backdoor with very specific purposes.
So this was a distribution campaign we would have previously expected to deliver Ersniff RM3
and instead was delivering this new malware, correct?
Exactly.
Can you give us a little bit of the background here?
I mean, Ersniff itself has been around for quite a while, yes?
Exactly.
So basically, Ersniff, if you want to do some archaeology stuff,
it started in 2006.
And over the time, with a lot of upside down,
a lot of things happened around the 20... in the 2010s, yes, some stuff goes
a bit weird because the code was split into two big parts. So we call ursniff v2 or Gozi V2. And this side was going into a very specific position.
And on the same side, a fork called ISFB arrived into the market in 2012, 2013.
And this branch is currently the only live branch from EuroSniff.
only a live branch from Eurusniff.
And it seems that this specific branch was working into a very unique marketing model.
It's like every person that wanted to get part of the code
have to pay, it seems, the developing team
kind of royalties to have their own specified fork.
So all the Earth Nymph variants that you are seeing since 2013 that have a very specific name
means it's unique gong behind that have all the royalties behind. So if you are hearing, for example, ISFB Trimbot, ISFB AAP,
or ISFB RM2 and RM3 and Lodafor,
are just basically a very unique gang behind that paid for having their unique piece of code just for them.
Well, let's dig into this discovery here of LDR4.
Can we walk through how someone would find themselves victim of this and then what happens
next? I can give a brief beginning to this and then Suli and you can kind of pick it up if I
drop anything. In theory, there's many vectors by which someone could become victim to the malware.
The malware itself is transparent to the delivery vector. However, what we ourselves have seen and
historically what we've seen with other variants of malware used in a similar fashion is that
generally the initial access vector is going to be via email, which is what we saw in this case as well.
The one thing that's different as far as the outcome is that following the trend that we've seen across many different malware families previously used for credential theft or as banking trojans, is that a lot of that functionality has been stripped out. So it's more clear in this case that the users of this malware have shifted to a model
where they're likely looking to obtain access to networks
rather than specifically looking to harvest credentials
or generate fraudulent banking transactions on victim hosts.
Well, let's walk through the actual behavior here.
I mean, someone finds themselves infected with this.
What's going on on their system, and what is it capable of doing?
So basically, when you are infected,
the first thing is doing the malware.
It's to do some requests that are encoded into the payload itself. The requests are just
basically some fingerprinting, checking if it's from
a corporate network or no. And so
it's a basic system info request. And thanks to this,
the malware will push it into the C2
servers, and then the ground behind can do just a simple triage
to classify the bot as interesting and garbage,
I would say like this.
So the garbage one will be reselled
into credential harvesting stuff,
and the good one will be set for reselling the machine
for lateral attacks for some ransomware gangs.
So they would give the machine
to some red team affiliates ransomware gang
and then starting to do some, you know,
the classic stuff for getting access step by step to the whole architecture of the whole network of the victim machine.
If it's on the corporate network, then trying to do some credential harvesting or trying to steal all kinds of juicy information and when it's done pushing the
ransomware payload this is how it's going right now i think it's also important to note that as
soon as you know effectively the way this is working is it's opening a door up to the attackers
who sort of operate a loader for itself so they have a panel that will allow them to sort
of make decisions about how they want to treat that access. And so everything that happens after
Loader4, although we've certainly seen many consistent trends across the tools and malware
and general behavior of the attackers that are engaging in post-exploitation data theft and ransomware operations.
It is human-driven at that point.
So it's difficult to speak with too much detail about what exactly will happen once they've decided that that access is worth monetizing. It will follow a larger trend of these kind of ransomware intrusions,
which do, again, follow a similar arc,
but will be completely dependent to the particular operator.
And now, a message from our sponsor, Zscaler,
the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers by hiding your attack surface, making apps and IPs invisible, eliminating lateral movement, connecting users only to specific apps,
not the entire network,
continuously verifying every request based on identity and context,
simplifying security management
with AI-powered automation,
and detecting threats using AI
to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization
with Zscaler
Zero Trust and AI. Learn more at zscaler.com slash security.
So this provides the backdoor into the system and then from there,
they can basically run whatever code they choose. Is that accurate?
Technically, they can just do very specific commands like loading a DLL into the machine victim,
starting to do some remote shell activities like starting the shell on the machine and do what they want on it.
And the last type of command is just to run a simple cmd command like, okay, I want the hostname code, I want the ipconfig of the machine, I want the host name of the machine. It's like they have a really simple
terminal access on every kind of machine
that has this malware installed.
And these simple tools effectively
give them arbitrary access.
But it is a very simple set of tools
that this gives them access to.
I see.
So what do we make, if anything, of the fact that they've sort of distilled this tool down?
As you mentioned, they've removed some of the banking functionality in here, making this a more simplified tool.
Is there anything to be made of that in terms of why they would be doing that?
Is there anything to be made of that in terms of why they would be doing that?
So just to answer this question, you have to understand that for years and years and years,
the banking malware was a very lucrative business.
And over the years, this lucrative business started to, of course, decline.
And the thing is, like, also, over the years,
all the banking fraud has been basically monitored.
And also, there is a lot of solutions these days for banking customers to help them to counterattack this kind of fraud.
So over the years, the bad guys or the gang behind this kind of activities
have their return of investments decreasing.
And so they have to find basically more and more skilled people.
They need a lot of money, so you have to pay them.
Also you have to pay the Monday Laundry side so you have to find some money mules, a manager behind
and then you have to be sure that the Monday Laundry will go on in the correct way. So you
have to think that this budget is rising and And on the other side, because this budget is rising,
the money behind all this business will decrease.
So over the years, it was okay.
And it reached a point where it was not interesting to do it.
And with the ransomware coming and rising over the time,
And with the ransomware coming and rising over the time,
they realized that, okay, by removing all this money mulside and all this activity about recruiting skilled guys for trying to fraud,
they removed everything and they have just basically now one single thing.
basically know one single thing.
Try to provide a very specific malware that gives access to the red team affiliate ransomware gang.
And just by having a percentage of getting access to it
to get the ransom after deployed
is more interesting than all the process I explained before.
Because there is just
much less people involved and somehow it's it could be safer for them to have
less mistake and also less processes into the pipeline to get the money clean
or to do the money laundry because now it's there
is not anymore any transaction to be do to be to be done it's just cryptocurrency stuff and then
just going to any kind of companies that can switch your bitcoin into
Switch your Bitcoin into the currency you want and the work is done.
I'm curious.
So in terms of organizations protecting themselves against this, what are your recommendations?
What are some of the best ways to prevent falling victim here?
I think from a high level, it hasn't really changed the model overall. This is most notable because it's an evolution of a
historically very important, fairly prevalent
banking malware, which just in itself is following
a larger trend. So we've seen
for example, with Drydex and Trickbot, which were
highly complex, fully featured, intensely developed banking malware.
We didn't see them get rebuilt in exactly this way, but we did see them evolve to get used in this same way. further highlights an overall trend of malware previously used for banking
now sort of shifting to be
one of the last bastions out there,
kind of shifting to a model where it's now
very clearly being intended for use to provide access.
I think kind of expanding on the previous answer as well a little,
I think that, you know, it was also clear that the developers behind RM3
or the, you know, that malware,
because of the deprecation of Internet Explorer,
which it relied on so heavily for much of its functionality,
you know, it was required that they rebuild their ecosystem.
And so this sort of rebuilding process presumably gave them a chance to kind of rethink what their
objectives were, what their market is. And, you know, they clearly showed by what they ended up
with as a tool here that access is their objective. And kind of pivoting back as far as defending yourself, what to expect.
I think that it's still this stage of the attack.
There's lots of sort of generic approaches that a lot of practitioners take,
which are still important, around know, around sort of general, you know,
network hygiene, ensuring that you have, you know, appropriate defenses at the email layer,
that you're detonating payloads, and all of these things still remain important.
But one, you know, I think that from my perspective, there, you know, it's once they get into the network, that's where we start to see a lot of this activity converge.
And so it's also really important that defenders pay attention to not just the way this activity is highly distinct, but the way it is all similar.
And so we see lots of use of things like, again, as Sulian stated, Cobalt Strike, Brutal Rotel, other attack frameworks like that, common tools for privilege escalation or lateral movement, things like AD Find, things like common exfiltration tools such as Rclone, you know, legitimate utilities such as PSExec and Bloodhound.
There's lots of sort of common points of, you know, common points that attackers touch networks with
that are common across all of this activity.
So I think that answering questions about, you know, defense, individual cases like this is challenging,
since I think it doesn't significantly change the threat landscape, but it does give us an
opportunity to kind of at least highlight the ways that this activity is similar across cases.
Yeah, that's interesting. And I think the bigger picture that you point out here, Jeremy, just that we are seeing or we have seen this evolution
and I guess to some degree some specialization here
of jettisoning the parts of these malware families
that are no longer necessary.
It also follows another trend we see, not universally,
but in cases I think where actors are rebuilding their toolkits, we do see them move towards simplicity.
So that's a trend that has actually existed for quite a long time.
I think even if you look at earlier banking trojans, including RM3 itself, that sort of had a modular plugin-based architecture where much of the functionality of the malware
was loaded post-exploitation or post-execution.
I think that that was sort of one of the early attempts
at simplification, and I think we see that further here.
We see a change towards, okay, well, maybe we're not looking
for a big piece of malware that can do anything.
We're looking to obtain access.
And so we will focus on the functionality that allows us to meet that objective.
And I think we saw something also fairly similar with the evolution from, again, this is a different group of cyber criminals.
But the shift from using TrickBot to Bazaar Loader, and then furthermore, a subset of those actors are now using, I think, what's publicly called Bumblebee or WeTrack as Shellsting, where we again see a further shift of, you know, sort of from large, complex malware families down to smaller, more purpose-built loaders to enable network access when that is the sort of the core objective.
Our thanks to Jeremy Kennelly and Suleon LeBeg from Mandiant. The research is titled From RM3 to LDR4,
Ersniff Leaves Banking Fraud Behind. We'll have a link in the show notes.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Thank you. Thanks for listening. We'll see you back here next week.