Connect with us

Hi, what are you looking for?



Ramnit Banking Trojan Resumes Activity

After an eight-month pause, the Ramnit Trojan has resurfaced with two new live attack servers and a new command and control (C&C) server, IBM researchers reveal.

After an eight-month pause, the Ramnit Trojan has resurfaced with two new live attack servers and a new command and control (C&C) server, IBM researchers reveal.

Spotted in 2010 as a self-replicating worm, Ramnit has evolved significantly after its developers decided to morph it into a banking Trojan. In 2011, the malware grabbed on-the-fly data theft capabilities and webinjections borrowed from Zeus’ leaked source code. Ever since, Ramnit has been an active banking Trojan, packing remote control capabilities and extensive target lists.

The operation, disrupted in February 2015 by tech companies and European law enforcement, resumed operations last December. After a long period of silence, the botnet’s operators launched a new infection campaign in July 2016 that is targeting six major banks in the United Kingdom, security researchers reveal.

Days after the takedown attempt in early 2015, parts of the Ramnit botnet were still alive, showing that the Trojan didn’t completely die. Fearing they might be captured by law enforcement, however, the botnet’s operators stopped their activity for a while. In December, they started targeting banks and e-commerce in Canada, Australia, the U.S. and Finland, but the actors have been silent ever since.

As part of the new attack, the people behind the Trojan are using a new configuration to equip the malware with webinjections meant to target personal banking users. The Ramnit payload has seen minor changes compared to previous samples, with its operations, architecture and encryption algorithms unchanged, researchers reveal.

However, some of the malware’s parts were modified, such as the Hooker module, which received some improvement and was renamed to Grabber.

“Also known as a Spy Module, this module is designed to hook the browser, monitoring URL access, enabling data theft in real time and displaying webinjections to the victims,” IBM’s Limor Kessem explains.

Advertisement. Scroll to continue reading.

The component that enables the Trojan to scan the drive for files that have interesting keywords, such as “wallet,” “passwords,” or the names of the targeted banks, has remained unchanged. The module, called DriveScan, is used to gather additional information to ensure that no financial details or credentials stored on the victim’s endpoint have been missed.

Ramnit originally features a virtual network computing (VNC) module, but the malware doesn’t deploy it immediately. Instead, it can dynamically fetch the VNC module from the C&C server at the attacker’s discretion and launch it at any point.

According to IBM, the Trojan’s configuration shows that its authors have been preparing the malware for the next phase, as the new attack schemes are built for real-time fraud targeting online banking sessions.

“Not all attacks have to happen in real time or from the victim’s device; Ramnit’s operators can also gather credentials from infected users and use them to commit account takeover fraud from other devices at a later time,” Kessem says.

The botnet, IBM says, appears to be operated by a private, closed cybergang, given that the Ramnit Trojan’s source code hasn’t been openly sold or shared so far. While researchers cannot attribute the botnet to a specific group, they note that there is a chance that a new group is using the project now.

“Ramnit’s current targets appear to be limited to six major U.K. banks, but X-Force researchers expect the list to expand in the coming days or weeks. The malware’s operators are spreading more than one configuration out to new infected bots, with sophisticated social engineering injections and in-session fraud automation all wrapped into the same attack scheme,” Kessem notes.

Historically, Ramnit used malvertising and malware-laden spam for distribution, though it also employed popular exploit kits, such as Angler, and researchers expect its operators to use the same infection vectors moving forth as well.

Related: Gozi Banking Trojan Campaigns Target Global Brands

Related: Nymaim Malware Attacks on the Rise Globally

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...