IBM X-Force researchers monitor the activity of top cybercrime gangs on an ongoing basis. In a recent analysis of Ramnit Trojan targets, the team looked into the way the malware’s operators target e-commerce vendors in Japan — the gang’s active attack turf nowadays.

As it turns out, Ramnit in Japan is nothing like the Ramnit we know from attacks on U.K. banks and Europe. Instead of targeting banks, in Japan, this malware’s target list is all about e-commerce and, more specifically, top fashion brands from overseas. Japanese shoppers are known to enjoy shopping for foreign fashion — a trend that has been measured since 2014, when online shoppers in Japan spent $1.6 billion on top fashion brands sold on American websites.

They Target Banks, Too

Ramnit campaigns in Japan are strangely focused on fashion, but the typical configuration file planted on infected devices will also fire up the Trojan’s injection mechanism if the victim attempts to do some online banking, check their webmail or login to their social network. Gaming, video streaming and adult content were not exempt, nor were vacation deal vendors, mobile phone sellers and jewelry shops. If it’s a shop that attracts a lot of traffic and involves using a payment card, it’s on the list.

Figure 1: Excerpt from a Ramnit configuration file used in campaigns in Japan (Source: IBM X-Force)

The attack resources linked with the campaign were not very elaborate. An external script is pulled in real time from a remote server when the infected users browse to a target site. The injection consistently comes from the same source for all the targets, which is likely because it is the exact same format, with a logo change for each fake pop-up that requests the victim’s payment card details.

Figure 2: Excerpt from a Ramnit configuration file used in campaigns in Japan (Source: IBM X-Force)

Ramnit Hot and Cold

Ramnit is one of the top banking Trojans operated by what’s believed to be an organized cybercrime group. It has been active in the wild since 2010, when it started out as a self-replicating worm, leveraging removable drives and network shares to spread to devices in business environments. As the project evolved, Ramnit morphed into a modular banking Trojan.

Between 2011 and 2014, the Ramnit Trojan gained momentum in the cybercrime arena, rising among the top 10 most prevalent pieces of financial malware. Ramnit infections were most rampant in North America, Europe and Australia, where its local targets included a multitude of recruitment sites, likely for the purpose of mule recruitment. During those years, Ramnit configurations were characterized by an exhaustive list of online anti-malware scans, antivirus product websites, cybercrime information sites and security blogs that it made sure to keep victims away from. In some cases, the mere use of the word “cybercrime” or “police” in a URL typed by victims triggered a redirection from Ramnit.

In late February 2015, a Europol operation in collaboration with information security vendors attempted to dismantle the Ramnit project by taking down botnets operated by Ramnit’s masters. A few days later, another vendor indicated that, unfortunately, the Ramnit botnet was still alive — a rare occurrence for any malware gang.

In December 2015, IBM Trusteer research reported renewed Ramnit activity that targeted banks and e-commerce sites in Canada, Australia, the U.S. and Finland. In that resurrection, Ramnit’s operators used malvertising and the Angler exploit kit (EK) to infect new victims with the malware. The Angler EK has since died down, and Ramnit’s operators have switched to the RIG EK to continue their malvertising campaigns.

Over the past few years, Ramnit has kept its turf limited, only targeting a handful of geographies at a time. It has gone in and out of hiatus periods and moved around the globe, but it somehow continues to exist and even reach the second rank on the top banking Trojan list for 2019 to date.

Figure 3: Top banking Trojan families in 2019 to date (Source: IBM X-Force)

Tips for Shoppers to Avoid Ramnit Infections

Banking Trojans are an insidious threat that’s hard to detect once it is resident on an infected device. The following internet and email security best practices can help prevent malware infections.

  • Ramnit is being dropped by the Grandsoft Exploit kit in Japan. Avoiding poisoned pages means being mindful of the sites you visit. Don’t shop on unknown sites, always check the site’s URL, and avoid advertisements promising free games or other supposed gifts/coupons, as well as adult content sites.
  • Keep your system and applications up to date. If something is not in use, delete it. Even if you land on an exploit kit, it will be hard to drop malware to a fully patched device.
  • Malware distribution shuffles methods often. It can come via exploit kits today and then via email tomorrow. Don’t open unsolicited email, and don’t launch attachments from unknown senders. If you receive an attachment with a macro that you have to enable, decline to do so and call the sender to verify that email.
  • If you shop online often, keep track of your credit card statements and your online accounts directly on your favorite brands’ website, and don’t click links to your accounts through email messages.
  • Service providers and online retailers wishing to prevent fraud on their customer accounts are invited to learn more about securing user identities with IBM Trusteer.

More from Malware

Strela Stealer: Today’s invoice is tomorrow’s phish

12 min read - As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be…

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today