{"id":48957,"date":"2022-10-21T10:28:06","date_gmt":"2022-10-21T10:28:06","guid":{"rendered":"https:\/\/www.threatshub.org\/blog\/good-news-ursnif-no-longer-a-banking-trojan-bad-news-its-now-a-backdoor\/"},"modified":"2022-10-21T10:28:06","modified_gmt":"2022-10-21T10:28:06","slug":"good-news-ursnif-no-longer-a-banking-trojan-bad-news-its-now-a-backdoor","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/good-news-ursnif-no-longer-a-banking-trojan-bad-news-its-now-a-backdoor\/","title":{"rendered":"Good news, URSNIF no longer a banking trojan. Bad news, it&#8217;s now a backdoor"},"content":{"rendered":"<p>URSNIF, the malware also known as Gozi that attempts to steal online banking credentials from victims&#8217; Windows PCs, is evolving to support extortionware.<\/p>\n<p>As one of the oldest banking trojans \u2013 dating back to the mid-2000s \u2013 the software nasty has a number of variants and been given a few monikers, including URSNIF, Gozi, and ISFB. It&#8217;s crossed paths with other malware families, had its source code leaked twice since 2016 and, according to Mandiant, is now less a single malware family than a &#8220;set of related siblings.&#8221;<\/p>\n<p>It&#8217;s also seen its alleged masterminds get hauled into US courts. The last of them was <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2022\/07\/20\/alleged_gozi_malware_cio_extradited\/\" rel=\"noopener\">extradited<\/a> this year from Colombia, where he fled after being released on bail following his arrest in Romania in 2012.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"condor\" data-xsm=\",fluid,mpu,\" data-sm=\",fluid,mpu,\" data-md=\",fluid,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Y1J4MrNCnFVeGjPmEPz3IAAAAEQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Y1J4MrNCnFVeGjPmEPz3IAAAAEQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>Whoever&#8217;s still behind URSNIF is following the path worn by developers of other malware families, such as <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2022\/06\/10\/emotet-malware-chrome-credit-cards\/\" rel=\"noopener\">Emotet<\/a>, <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/www.cisecurity.org\/insights\/blog\/trickbot-not-your-average-hat-trick-a-malware-with-multiple-hats\">TrickBot<\/a>, and Qakbot, which shed their banking-info-stealing pasts to become backdoors on infected machines that can be used by miscreants to deliver ransomware and data-stealing payloads.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xmd=\",fluid,mpu,leaderboard,\" data-lg=\",fluid,mpu,leaderboard,\" data-xlg=\",fluid,billboard,superleaderboard,mpu,leaderboard,\" data-xxlg=\",fluid,billboard,superleaderboard,brandwidth,brandimpact,leaderboard,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44Y1J4MrNCnFVeGjPmEPz3IAAAAEQ&amp;t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44Y1J4MrNCnFVeGjPmEPz3IAAAAEQ&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<div class=\"adun_eagle_desktop_story_wrapper\">\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"mid\" data-raptor=\"eagle\" data-xxlg=\",mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33Y1J4MrNCnFVeGjPmEPz3IAAAAEQ&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33Y1J4MrNCnFVeGjPmEPz3IAAAAEQ&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<\/p><\/div>\n<p>In a <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/www.mandiant.com\/resources\/blog\/rm3-ldr4-ursnif-banking-fraud\">report<\/a> this week, Mandiant researchers Sandor Nemes, Sulian Lebegue, and Jessa Valdez wrote that a strain of URSNIF&#8217;s RM3 version is no longer a banking trojan but a generic backdoor, similar to the short-lived <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/www.mandiant.com\/resources\/blog\/saigon-mysterious-ursnif-fork\">Saigon<\/a> variant.<\/p>\n<p>This backdoor can be used to run ransomware, data exfiltration, and other horrible crap on compromised computers.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xsm=\",fluid,mpu,\" data-sm=\",fluid,mpu,\" data-md=\",fluid,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44Y1J4MrNCnFVeGjPmEPz3IAAAAEQ&amp;t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44Y1J4MrNCnFVeGjPmEPz3IAAAAEQ&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>&#8220;This is a significant shift from the malware&#8217;s original purpose to enable banking fraud, but is consistent with the broader threat landscape,&#8221; the researchers wrote, adding that they believe &#8220;the same threat actors who operated the RM3 variant of URSNIF are likely behind [the] LDR4 [variant]. Given the success and sophistication RM3 previously had, LDR4 could be a significantly dangerous variant \u2013 capable of distributing ransomware \u2013 that should be watched closely.&#8221;<\/p>\n<p>Ransomware \u2013 and now <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2022\/10\/09\/extortion_ransomware_threats_category\/\" rel=\"noopener\">data extortion<\/a>, where attackers steal files from victims and threaten to leak them if money demanded isn&#8217;t paid \u2013 is just everywhere now. Threat intelligence firm Intel 471 <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/intel471.com\/resources\/whitepapers\/leading-ransomware-variants-q3-2022\">spotted<\/a> more than 1,500 ransomware infections in the first three quarters of this year alone.<\/p>\n<p>A ransomware attack can cost companies and their insurers millions of dollars, so it&#8217;s not surprising that established cyber-crime crews would move in that direction. URSNIF, with its latest LDR4 variant, appears to be doing just that.<\/p>\n<p>Mandiant first detected LDR4 in the wild on June 23 after analyzing a suspicious email that resembled the messages used by RM3 from a year earlier. In the email is a link to a malicious website that redirects the victim to a site made to look like a legitimate business, complete with a <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2022\/09\/28\/cloudflares_new_captcha_killer_enters\/\" rel=\"noopener\">CAPTCHA<\/a> challenge to download a Microsoft Excel document supposedly related to the email&#8217;s contents. If the email is about a job offer, the document is said to have information regarding that.<\/p>\n<p>Clicking on the document leads to the download and execution of the LDR4 payload, once the mark follows the given instructions to run macros within the file.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" id=\"story_eagle_xsm_sm_md_xmd_lg_xlg\" data-pos=\"mid\" data-raptor=\"eagle\" data-xsm=\",mpu,dmpu,\" data-sm=\",mpu,dmpu,\" data-md=\",mpu,dmpu,\" data-xmd=\",mpu,dmpu,\" data-lg=\",mpu,dmpu,\" data-xlg=\",mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33Y1J4MrNCnFVeGjPmEPz3IAAAAEQ&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33Y1J4MrNCnFVeGjPmEPz3IAAAAEQ&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>&#8220;One of the most noticeable things during the analysis was that the developers had simplified and cleaned up various parts of the code, compared to previous variants,&#8221; the researchers wrote. &#8220;Most notably, its banking features were totally scrapped.&#8221;<\/p>\n<p>URSNIF, in its time as a banking malware, caused a lot of problems for financial services institutions and their customers. Upon extraditing to America Mihai Ionut Paunescu, a 37-year-old Romanian who is accused of creating URSNIF, US law enforcement officials said the malware had infected more than a million Windows computers around the globe, including in the United States. They estimated that it caused tens of millions of dollars in losses to government agencies, organizations, and individuals.<\/p>\n<p>PC users in such countries as Germany, Great Britain, Poland, Italy, and Turkey, also were hit by the malware, which could log a victim&#8217;s keystrokes and steal credentials to get into their online bank accounts.<\/p>\n<p>However, in 2020, the RM3 variant began to struggle. Distribution and backends, particularly in Europe, collapsed and then failed to take advantage of the disruptions sustained by TrickBot and Emotet to increase its use.<\/p>\n<p>&#8220;One of the greatest winners of this was the ICEDID malware family, which managed to leverage the shrinking competition on the banking malware landscape, putting RM3 into a difficult position,&#8221; the Mandiant team wrote, adding it was unusual for URSNIF&#8217;s ISFB variant \u2013 which spawned other variants, including RM3 \u2013 to stop getting updates after June 2020.<\/p>\n<p>&#8220;Some researchers hypothesized that the only way for this banking malware to return was to do some major refurbishing of its code.&#8221;<\/p>\n<p>The final step in the fall of RM3 was Microsoft in June <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2022\/06\/16\/internet_explorer_celebration\/\" rel=\"noopener\">removing<\/a> Internet Explorer from Windows. The variant was reliant on that browser for its network communication.<\/p>\n<p>The Mandiant analysts called LDR4 a &#8220;mix of code refactoring, regressions and interesting simplification strategies.&#8221; It no longer uses the custom PX executable format that first came with RM3, and a steganography tool called FJ.exe that was used in ISFB to hide multiple files in a single payload is either gone or reworked.<\/p>\n<p>Then there is the migration to the new strategy \u2013 away from banking fraud to being the backdoor for other malware.<\/p>\n<p>&#8220;The demise of the RM3 variant earlier this year, and the authors&#8217; decisions to make heavy simplifications to their code, including the removal of all banking related features, point toward a drastic change in their previously observed TTPs [tactics, techniques, and procedures],&#8221; the team wrote.<\/p>\n<p>&#8220;These shifts may reflect the threat actors&#8217; increased focus towards participating in or enabling ransomware operations in the future.&#8221;<\/p>\n<p>This was supported when Mandiant analysts saw a cybercriminal in underground communities this year looking for partners to distribute new ransomware and the RM3 variant, which is similar to LDR4. \u00ae<\/p>\n<p> READ MORE <a href=\"https:\/\/go.theregister.com\/feed\/www.theregister.com\/2022\/10\/21\/ursnif_trojan_shift_ransomware\/\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>And one designed to slip ransomware and data-stealing code onto infected machines URSNIF, the malware also known as Gozi that attempts to steal online banking credentials from victims&#8217; Windows PCs, is evolving to support extortionware.\u2026 READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[63],"tags":[],"class_list":["post-48957","post","type-post","status-publish","format-standard","hentry","category-the-register"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Good news, URSNIF no longer a banking trojan. Bad news, it&#039;s now a backdoor 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/good-news-ursnif-no-longer-a-banking-trojan-bad-news-its-now-a-backdoor\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Good news, URSNIF no longer a banking trojan. Bad news, it&#039;s now a backdoor 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/good-news-ursnif-no-longer-a-banking-trojan-bad-news-its-now-a-backdoor\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2022-10-21T10:28:06+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Y1J4MrNCnFVeGjPmEPz3IAAAAEQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/good-news-ursnif-no-longer-a-banking-trojan-bad-news-its-now-a-backdoor\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/good-news-ursnif-no-longer-a-banking-trojan-bad-news-its-now-a-backdoor\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Good news, URSNIF no longer a banking trojan. Bad news, it&#8217;s now a backdoor\",\"datePublished\":\"2022-10-21T10:28:06+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/good-news-ursnif-no-longer-a-banking-trojan-bad-news-its-now-a-backdoor\\\/\"},\"wordCount\":963,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/good-news-ursnif-no-longer-a-banking-trojan-bad-news-its-now-a-backdoor\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Y1J4MrNCnFVeGjPmEPz3IAAAAEQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"articleSection\":[\"The Register\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/good-news-ursnif-no-longer-a-banking-trojan-bad-news-its-now-a-backdoor\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/good-news-ursnif-no-longer-a-banking-trojan-bad-news-its-now-a-backdoor\\\/\",\"name\":\"Good news, URSNIF no longer a banking trojan. Bad news, it's now a backdoor 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/good-news-ursnif-no-longer-a-banking-trojan-bad-news-its-now-a-backdoor\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/good-news-ursnif-no-longer-a-banking-trojan-bad-news-its-now-a-backdoor\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Y1J4MrNCnFVeGjPmEPz3IAAAAEQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"datePublished\":\"2022-10-21T10:28:06+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/good-news-ursnif-no-longer-a-banking-trojan-bad-news-its-now-a-backdoor\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/good-news-ursnif-no-longer-a-banking-trojan-bad-news-its-now-a-backdoor\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/good-news-ursnif-no-longer-a-banking-trojan-bad-news-its-now-a-backdoor\\\/#primaryimage\",\"url\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Y1J4MrNCnFVeGjPmEPz3IAAAAEQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"contentUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Y1J4MrNCnFVeGjPmEPz3IAAAAEQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/good-news-ursnif-no-longer-a-banking-trojan-bad-news-its-now-a-backdoor\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Good news, URSNIF no longer a banking trojan. Bad news, it&#8217;s now a backdoor\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Good news, URSNIF no longer a banking trojan. Bad news, it's now a backdoor 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/good-news-ursnif-no-longer-a-banking-trojan-bad-news-its-now-a-backdoor\/","og_locale":"en_US","og_type":"article","og_title":"Good news, URSNIF no longer a banking trojan. Bad news, it's now a backdoor 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/good-news-ursnif-no-longer-a-banking-trojan-bad-news-its-now-a-backdoor\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2022-10-21T10:28:06+00:00","og_image":[{"url":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Y1J4MrNCnFVeGjPmEPz3IAAAAEQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/good-news-ursnif-no-longer-a-banking-trojan-bad-news-its-now-a-backdoor\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/good-news-ursnif-no-longer-a-banking-trojan-bad-news-its-now-a-backdoor\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Good news, URSNIF no longer a banking trojan. Bad news, it&#8217;s now a backdoor","datePublished":"2022-10-21T10:28:06+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/good-news-ursnif-no-longer-a-banking-trojan-bad-news-its-now-a-backdoor\/"},"wordCount":963,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/good-news-ursnif-no-longer-a-banking-trojan-bad-news-its-now-a-backdoor\/#primaryimage"},"thumbnailUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Y1J4MrNCnFVeGjPmEPz3IAAAAEQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","articleSection":["The Register"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/good-news-ursnif-no-longer-a-banking-trojan-bad-news-its-now-a-backdoor\/","url":"https:\/\/www.threatshub.org\/blog\/good-news-ursnif-no-longer-a-banking-trojan-bad-news-its-now-a-backdoor\/","name":"Good news, URSNIF no longer a banking trojan. Bad news, it's now a backdoor 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/good-news-ursnif-no-longer-a-banking-trojan-bad-news-its-now-a-backdoor\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/good-news-ursnif-no-longer-a-banking-trojan-bad-news-its-now-a-backdoor\/#primaryimage"},"thumbnailUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Y1J4MrNCnFVeGjPmEPz3IAAAAEQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","datePublished":"2022-10-21T10:28:06+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/good-news-ursnif-no-longer-a-banking-trojan-bad-news-its-now-a-backdoor\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/good-news-ursnif-no-longer-a-banking-trojan-bad-news-its-now-a-backdoor\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/good-news-ursnif-no-longer-a-banking-trojan-bad-news-its-now-a-backdoor\/#primaryimage","url":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Y1J4MrNCnFVeGjPmEPz3IAAAAEQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","contentUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Y1J4MrNCnFVeGjPmEPz3IAAAAEQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/good-news-ursnif-no-longer-a-banking-trojan-bad-news-its-now-a-backdoor\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Good news, URSNIF no longer a banking trojan. Bad news, it&#8217;s now a backdoor"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/48957","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=48957"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/48957\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=48957"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=48957"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=48957"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}