Research Saturday 12.3.22
Ep 260 | 12.3.22

Old malware returns in a new way.


Dave Bittner: Hello everyone, and welcome to the CyberWire's "Research Saturday." I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Jeremy Kennelly: Well, initially, it was a discovery made by Sulian and team. So they'd identified this new variant of URSNIF. The team itself has, you know, for a long time, you know, done research into that malware family. And I think that we even had some of the initial research on the last publicly disclosed variant, which was SAIGON, which was fairly short-lived. 

Dave Bittner: Our guests this week are Jeremy Kennelly and Sulian Lebegue from Mandiant. The research is titled "From RM3 to LDR4: URSNIF Leaves Banking Fraud Behind." 

Sulian Lebegue: In June 2022, we catch a new campaign wave... 

Dave Bittner: That's Sulian Lebegue. 

Sulian Lebegue: ...With a classic button that it's a classic bank mail, where the content was some human resource recruitments from a company called Michael Page. And Michael Page, for those who are unaware, it was also the same kind of button used by RM3 banking malware. And the thing that catch us, it's - we were supposed to see an RM3 payload for this banking malware. Weirdly, we saw that, on our side, not - our monitoring was unable to identify it. So we did a deeper investigation into it, and we realized that it was a totally new branch of this banking malware. And the fact it was even old - it's - in fact, there was not anymore any banking features inside. But it was just remodeled as a simplified backdoor with very specific purposes. 

Jeremy Kennelly: So this was a distribution campaign we would have previously expected to deliver URSNIF RM3 and instead was delivering this new malware, correct? 

Sulian Lebegue: Exactly. Exactly, exactly. 

Dave Bittner: Can you give us a little bit of the background here? I mean, URSNIF itself has been around for quite a while, yes? 

Sulian Lebegue: Exactly. So basically, URSNIF, if you want to do some archeology stuff, it started in 2006. And there was a time with a lot of upside down - a lot of things happened around the 20 - in the 2010s years. Some stuff goes a bit weird because the code was pitted into two big parts. So we call URSNIF V2 or Gozi V2. And this side was going into a very specific position. And on the same side, the fork called ISFB arrived into the market in 2012, 2013. And this branch is currently the only alive branch from URSNIF. And it seems that this specific branch was - walking into a very unique marketing model. It's like every person that wanted to get part of the code have to pay, it seems, to developing team kind of royalties to have their own specified fork. So all the URSNIF variants that you are seeing since 2013 are - that have a very specific name means it's unique, gone behind - that have all the royalties behind. So if you are hearing, for example, ISFB Dreambots, ISFB IAP, or ISFB RM2 and now and three and (inaudible) four, just basically a very unique gang behind that paid for adding the unique piece of code just for them. 

Dave Bittner: Well, let's dig into the discovery here of LDR4. Can we walk through how someone would find themselves victim of this, and then what happens next? 

Jeremy Kennelly: I can give a brief beginning to this and then, Sulian, you can kind of pick it up if I drop anything. In theory, there's many vectors by which someone could become victim to the malware. The malware itself is transparent to the delivery vector. However, what we ourselves have seen and historically what we've seen with other variants of malware used in a similar fashion is that generally the initial access vector is going to be via email, which is what we saw in this case as well. The one thing that's different, as far as the outcome, is that, you know, following the trend that we've seen across many different malware families previously used for, you know, credential theft or as banking Trojans is that a lot of that functionality has been stripped out. So it's more clear in this case that the users of this malware have shifted to a model where they're likely looking to obtain access to networks rather than specifically looking to harvest credentials or, you know, generate fraudulent banking transactions on victim hosts. 

Dave Bittner: Well, let's walk through the actual behavior here. I mean, if someone finds themselves infected with this - what's going on on their system, and what is it capable of doing? 

Sulian Lebegue: So basically, when you are infected, it's - the first thing it's doing - the malware - is to do some requests that are coded into the payload itself. Some requests are just basically some fingerprinting, checking if it's from a corporate network or no - and so it's a basic system info request. And thanks to this, the malware will push it into the C2 servers, and then the ground behind can do just a simple triage to classifies about as interesting and garbage - I will say like this. So the garbage one will be reselled (ph) into credential harvesting stuff, and the good one will be saved for reselling the machine from little attacks for some ransomware gang. So they would give the bots - they would give the machine to some red-team-affiliated ransomware gang and then starting to do some - you know, some classic stuff for getting access, step-by-step, to the whole - architecture of the whole network of the victim machine. If it's on a corporate network, then trying to do some credential arresting or trying to steal all kind of juicy information. And when it's done, pushing the ransomware - it'll - it says, oh, it's going right now. 

Jeremy Kennelly: I think it's also important to note that, as soon as - you know, effectively, the way this is working is it's opening a door up to the attackers who sort of operate the LDR4 itself. So they have a panel that will allow them to sort of make decisions about how they want to treat that access. And so everything that happens after LDR4 - although, you know, we've certainly seen many consistent trends across the tools and malware and general behavior of the attackers that are engaging in post exploitation, you know, data theft and ransomware operations. You know, it is human-driven at that point. So it's difficult to speak with too much detail about what exactly will happen once they've decided that that access is worth monetizing. But, you know, it will follow a larger trend of these kind of, you know, ransomware intrusions which do, again, follow a similar arc but will be completely dependent to the particular operator. 

Dave Bittner: So this provides the backdoor into the system. And then from there, they can basically run whatever code they choose. Is that accurate? 

Sulian Lebegue: Technically, they can just do very specific command like loading a GLN into the machine victim, starting to do some remote shell activities like starting the - so shared on the machine and do what they want on it. And the last type of command, it's just to run a simple CMD command, like, OK, I want both name code. I want (inaudible) config of the machine. I want (inaudible) machine. It's like - if they have a really simple terminal access on every kind of machine that have this malware instance. 

Jeremy Kennelly: And this - these simple tools effectively give them arbitrary access. But it is a very simple set of tools that this gives them access to. 

Dave Bittner: I see. So what do we make, if anything, of the fact that they've sort of distilled this tool down? As you mention, they've removed some of the banking functionality in here, making this a more simplified tool. Can we - is there anything to be made of that in terms of why they would be doing that? 

Sulian Lebegue: So just to answer this question, you have to understand that for years and years and years, the banking malware was a very lucrative business. And over the years, this lucrative business start to, of course, decline. And the thing is, like, also, over the years, all the banking fraud has been basically monitored. And also, there is a lot of solutions these days for banking customers to help them to counterattack this kind of fraud. So over the years, the bank and the bad guys have gone behind this kind of intimate activities, as their written investments fail or return of investment decreasing. And so they have to find basically more and more skilled people. They need a lot of money, so you have to pay them. Also, you have to pay some money laundry sites. So you have to find some money mules, a manager behind. And then you have to be sure that the money laundering will go on in the correct way. So you have to think that this budget is rising. 

Sulian Lebegue: And on the other side, because this budget is rising, some money behind all this business will decrease. So over the years, it was OK. And it reach at a point - it was not interesting to do it. And with the ransomware coming and rising over the time, they realized that, OK, by removing all this money mule side and all this activity or bad recruiting skilled guy for trying to fraud, they all move everything. And they are just basically now one single thing - try to provide a very specific malware that if I give access to the red team affiliates ransomware gang - and just by having a percentage of getting access just to it to get ransom after deployed is more interesting that all the process I extend before because there is just much less people involved. And somehow, it's - it could be safer for them to have less mistake and also less processes into the pipeline to get the money, clean - to do the money laundry because now it - there is not any money transaction to be do - to be done. It's just cryptocurrency stuff and then just going to any kind of companies that can switch your bitcoin into the currency you want in. The work is done. 

Dave Bittner: I'm curious. So in terms of organizations protecting themselves against this, what are your recommendations? What are some of the best ways to prevent falling victim here? 

Jeremy Kennelly: I think from a high level, not - you know, it doesn't - it hasn't really changed the model overall. This is most notable because it's an evolution of a historically very important, fairly prevalent banking malware, which just, in itself, is following a larger trend. So we've seen, you know, for example, you know, with Dridex and Trickbot, which were highly complex, fully featured, you know, intensely developed banking malware - we didn't see them get rebuilt in exactly this way, but we did see them evolve to get used in this same way. And so I think what this does is it just further highlights an overall trend of malware previously used for banking and now sort of shifting to be, you know, one of the last bastions out there, kind of shifting to a model where it's now, you know, very clearly being intended for - used to provide access. I think, you know, kind of expanding on the previous answer as well a little, I think that, you know, it was also clear that the developers behind RM3 or the - you know, that malware, because of the deprecation of Internet Explorer, which it relied on so heavily for much of its functionality, you know, it was required that they rebuild their ecosystem. 

Jeremy Kennelly: And so this sort of rebuilding process presumably gave them a chance to kind of rethink what their objectives were, what their market is. And, you know, they clearly showed by what they ended up with as a tool here that access is their objective. And kind of pivoting back as far as defending yourself, what to expect, I think that, you know, it's still this stage of the attack. You know, there's lots of sort of generic approaches that a lot of practitioners take, which are still important, you know, around sort of general, you know, network hygiene, ensuring that you have, you know, appropriate defenses at the email layer, that you're detonating payloads. And all of these things still remain important. 

Jeremy Kennelly: But one - you know, I think that from my perspective there - you know, it's once - once they get into the network, that's where we start to see a lot of this activity converge. And so there's - it's also really important that defenders pay attention to sort of not just the way all this activity is highly distinct but the way it is all similar. And so we see lots of use of things like, again, as Sulian stated, Cobalt Strike, Brute Ratel, other attack frameworks like that, you know, common tools for privilege escalation or lateral movement, things like AdFind, things like, you know, common exfiltration traction tools, such as Rclone, you know, legitimate utilities, such as PsExec and Bloodhound. There's lots of sort of common points of - you know, common points that attackers touch networks with that are common across all of this activity. So I think that answering questions about, you know, defense, individual cases like this, is challenging since I think it doesn't significantly change the threat landscape, but it does give us an opportunity to kind of at least highlight the ways that this activity is similar across cases. 

Dave Bittner: Yeah, that's interesting. And I think the bigger picture that you point out here, Jeremy, just that, you know, we are seeing or we have seen this evolution and, I guess, to some degree, some specialization here of, you know, jettisoning the parts of these malware families that are no longer necessary. 

Jeremy Kennelly: It also follows another trend we see, not universally but in cases, I think, where actors are rebuilding their tool kits. We do see them move towards simplicity. So, you know, that's a trend that has actually existed for quite a long time, right? I think even if you look at earlier banking trojans, you know, including RM3 itself, that sort of had a modular plug-in-based architecture where much of the functionality of the malware was loaded post-exploitation or post-execution, I think that, you know, that was sort of one of the early attempts at, you know, simplification. 

Jeremy Kennelly: And I think we see that further here, right? We see a change towards, OK, well, maybe we're not looking for a big piece of malware that can do anything. We're looking to obtain access. And so we will focus on the functionality that allows us to meet that objective. And I think we saw - you know, we saw something also fairly similar with the evolution from - again, this is a different group of cybercriminals. But the shift from using TrickBot to BazarLoader and then, furthermore, a subset of those actors are now using, I think, what's publicly called Bumblebee, or we track as SHELLSTING, where we, again, see a further shift of - you know, sort of from large complex malware families down to smaller, more purpose-built loaders to enable network access when that is the - sort of the core objective. 

Dave Bittner: Our thanks to Jeremy Kennelly and Sulian Lebegue from Mandiant. The research is titled "From RM3 to LDR4: URSNIF Leaves Banking Fraud Behind." We'll have a link in the show notes. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup Studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Rachel Gelfand, Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.