After an eight-month pause, the Ramnit Trojan has resurfaced with two new live attack servers and a new command and control (C&C) server, IBM researchers reveal.
Spotted in 2010 as a self-replicating worm, Ramnit has evolved significantly after its developers decided to morph it into a banking Trojan. In 2011, the malware grabbed on-the-fly data theft capabilities and webinjections borrowed from Zeus’ leaked source code. Ever since, Ramnit has been an active banking Trojan, packing remote control capabilities and extensive target lists.
The operation, disrupted in February 2015 by tech companies and European law enforcement, resumed operations last December. After a long period of silence, the botnet’s operators launched a new infection campaign in July 2016 that is targeting six major banks in the United Kingdom, security researchers reveal.
Days after the takedown attempt in early 2015, parts of the Ramnit botnet were still alive, showing that the Trojan didn’t completely die. Fearing they might be captured by law enforcement, however, the botnet’s operators stopped their activity for a while. In December, they started targeting banks and e-commerce in Canada, Australia, the U.S. and Finland, but the actors have been silent ever since.
As part of the new attack, the people behind the Trojan are using a new configuration to equip the malware with webinjections meant to target personal banking users. The Ramnit payload has seen minor changes compared to previous samples, with its operations, architecture and encryption algorithms unchanged, researchers reveal.
However, some of the malware’s parts were modified, such as the Hooker module, which received some improvement and was renamed to Grabber.
“Also known as a Spy Module, this module is designed to hook the browser, monitoring URL access, enabling data theft in real time and displaying webinjections to the victims,” IBM’s Limor Kessem explains.
The component that enables the Trojan to scan the drive for files that have interesting keywords, such as “wallet,” “passwords,” or the names of the targeted banks, has remained unchanged. The module, called DriveScan, is used to gather additional information to ensure that no financial details or credentials stored on the victim’s endpoint have been missed.
Ramnit originally features a virtual network computing (VNC) module, but the malware doesn’t deploy it immediately. Instead, it can dynamically fetch the VNC module from the C&C server at the attacker’s discretion and launch it at any point.
According to IBM, the Trojan’s configuration shows that its authors have been preparing the malware for the next phase, as the new attack schemes are built for real-time fraud targeting online banking sessions.
“Not all attacks have to happen in real time or from the victim’s device; Ramnit’s operators can also gather credentials from infected users and use them to commit account takeover fraud from other devices at a later time,” Kessem says.
The botnet, IBM says, appears to be operated by a private, closed cybergang, given that the Ramnit Trojan’s source code hasn’t been openly sold or shared so far. While researchers cannot attribute the botnet to a specific group, they note that there is a chance that a new group is using the project now.
“Ramnit’s current targets appear to be limited to six major U.K. banks, but X-Force researchers expect the list to expand in the coming days or weeks. The malware’s operators are spreading more than one configuration out to new infected bots, with sophisticated social engineering injections and in-session fraud automation all wrapped into the same attack scheme,” Kessem notes.
Historically, Ramnit used malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler, and researchers expect its operators to use the same infection vectors moving forth as well.