URSNIF’s LDR4 variant marks a shift from banking fraud to remote access capabilities, dropping banking modules in favor of enabling VNC and remote shell access on compromised machines. It introduces API call obfuscation, a redesigned configuration/storage structure, and encrypted C2 beacons, linking the campaign to a UK-hosted infrastructure and services like Namecheap/PQ Hosting. #URSNIF #LDR4 #RM3 #EMOTET #TRICKBOT #VNC #C2 #Namecheap #StarkIndustriesSolutions #PQHosting
Keypoints
- LDR4 is a backdoor variant of URSNIF that eliminates banking-focused features and concentrates on gaining remote access (VNC/remote shell).
- The variant adds Windows API call obfuscation by constructing a hash table (JAMCRC32) of exported functions to resolve addresses at runtime.
- Decryption and configuration are embedded in the .bss section, using XOR-based decryption with a key derived from PE Timestamp and section data, plus a checksum check on the decrypted data.
- System and User IDs are generated from system state (pagefile/hiberfil creation date) and the current username’s MD5, with a mutex ensuring only one active instance.
- Communication relies on HTTPS POST beacons to C2 servers, with encrypted payloads and a defined query string, and it fetches TASK.BIN to obtain commands.
- Infrastructure details show domain-based C2 (logotep[.]xyz) and hosting relationships (Namecheap, Stark Industries Solutions Ltd., PQ Hosting).
MITRE Techniques
- [T1106] Native API – The malware resolves Windows API calls at runtime using a hashed table of exports to fetch function addresses; “The new LDR4 variant incorporated obfuscation for the Windows API calls. First, it builds a hash lookup table from the export names and addresses of the Windows modules used by the malware … that maps the JAMCRC32 checksum … to their respective virtual addresses in memory.”
- [T1071.001] Web Protocols – Beacons are sent via HTTPS POST to C2 with encrypted payloads; “The beacon request’s query string uses the following format” and “POST requests over HTTPS, with beacon URLs ending in /index.html.”
- [T1059.003] Windows Command Shell – The RunCommand option executes in a separate thread with output redirected to a temporary file; embedded commands include “echo Commands” and “dir.”
- [T1055] Process Injection – The malware launches the main communication thread via the QueueUserAPC() function, a form of injecting execution into another thread.
- [T1027] Obfuscated/Compressed Files or Information – The code uses obfuscation for Windows API calls to hinder analysis.
Indicators of Compromise
- [Domain] logotep[.]xyz – C2/beacon domain used by the infrastructure
- [Domain] logotep.xyz (implied variant) – Beacons and C2 domain references
- [File] TASK.BIN – file associated with commands to perform; 0x8fd8a91e (JAMCRC32 of uppercase filename)
- [File] 0x3e3edc47 – CRC/checksum of TASK.BIN contents (example of file integrity data)
Read more: https://www.mandiant.com/resources/blog/rm3-ldr4-ursnif-banking-fraud