IBM X-Force researchers monitor the activity of top cybercrime gangs on an ongoing basis. In a recent analysis of Ramnit Trojan targets, the team looked into the way the malware’s operators target e-commerce vendors in Japan — the gang’s active attack turf nowadays.

As it turns out, Ramnit in Japan is nothing like the Ramnit we know from attacks on U.K. banks and Europe. Instead of targeting banks, in Japan, this malware’s target list is all about e-commerce and, more specifically, top fashion brands from overseas. Japanese shoppers are known to enjoy shopping for foreign fashion — a trend that has been measured since 2014, when online shoppers in Japan spent $1.6 billion on top fashion brands sold on American websites.

They Target Banks, Too

Ramnit campaigns in Japan are strangely focused on fashion, but the typical configuration file planted on infected devices will also fire up the Trojan’s injection mechanism if the victim attempts to do some online banking, check their webmail or login to their social network. Gaming, video streaming and adult content were not exempt, nor were vacation deal vendors, mobile phone sellers and jewelry shops. If it’s a shop that attracts a lot of traffic and involves using a payment card, it’s on the list.

Figure 1: Excerpt from a Ramnit configuration file used in campaigns in Japan (Source: IBM X-Force)

The attack resources linked with the campaign were not very elaborate. An external script is pulled in real time from a remote server when the infected users browse to a target site. The injection consistently comes from the same source for all the targets, which is likely because it is the exact same format, with a logo change for each fake pop-up that requests the victim’s payment card details.

Figure 2: Excerpt from a Ramnit configuration file used in campaigns in Japan (Source: IBM X-Force)

Ramnit Hot and Cold

Ramnit is one of the top banking Trojans operated by what’s believed to be an organized cybercrime group. It has been active in the wild since 2010, when it started out as a self-replicating worm, leveraging removable drives and network shares to spread to devices in business environments. As the project evolved, Ramnit morphed into a modular banking Trojan.

Between 2011 and 2014, the Ramnit Trojan gained momentum in the cybercrime arena, rising among the top 10 most prevalent pieces of financial malware. Ramnit infections were most rampant in North America, Europe and Australia, where its local targets included a multitude of recruitment sites, likely for the purpose of mule recruitment. During those years, Ramnit configurations were characterized by an exhaustive list of online anti-malware scans, antivirus product websites, cybercrime information sites and security blogs that it made sure to keep victims away from. In some cases, the mere use of the word “cybercrime” or “police” in a URL typed by victims triggered a redirection from Ramnit.

In late February 2015, a Europol operation in collaboration with information security vendors attempted to dismantle the Ramnit project by taking down botnets operated by Ramnit’s masters. A few days later, another vendor indicated that, unfortunately, the Ramnit botnet was still alive — a rare occurrence for any malware gang.

In December 2015, IBM Trusteer research reported renewed Ramnit activity that targeted banks and e-commerce sites in Canada, Australia, the U.S. and Finland. In that resurrection, Ramnit’s operators used malvertising and the Angler exploit kit (EK) to infect new victims with the malware. The Angler EK has since died down, and Ramnit’s operators have switched to the RIG EK to continue their malvertising campaigns.

Over the past few years, Ramnit has kept its turf limited, only targeting a handful of geographies at a time. It has gone in and out of hiatus periods and moved around the globe, but it somehow continues to exist and even reach the second rank on the top banking Trojan list for 2019 to date.

Figure 3: Top banking Trojan families in 2019 to date (Source: IBM X-Force)

Tips for Shoppers to Avoid Ramnit Infections

Banking Trojans are an insidious threat that’s hard to detect once it is resident on an infected device. The following internet and email security best practices can help prevent malware infections.

  • Ramnit is being dropped by the Grandsoft Exploit kit in Japan. Avoiding poisoned pages means being mindful of the sites you visit. Don’t shop on unknown sites, always check the site’s URL, and avoid advertisements promising free games or other supposed gifts/coupons, as well as adult content sites.
  • Keep your system and applications up to date. If something is not in use, delete it. Even if you land on an exploit kit, it will be hard to drop malware to a fully patched device.
  • Malware distribution shuffles methods often. It can come via exploit kits today and then via email tomorrow. Don’t open unsolicited email, and don’t launch attachments from unknown senders. If you receive an attachment with a macro that you have to enable, decline to do so and call the sender to verify that email.
  • If you shop online often, keep track of your credit card statements and your online accounts directly on your favorite brands’ website, and don’t click links to your accounts through email messages.
  • Service providers and online retailers wishing to prevent fraud on their customer accounts are invited to learn more about securing user identities with IBM Trusteer.

More from Malware

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…

9 min read

Ex-Conti and FIN7 Actors Collaborate with New Backdoor

15 min read -   April 27, 2023 Update This article is being republished with modifications from the original that was published on April 14, 2023, to change the name of the family of malware from Domino to Minodo. This is being done to avoid any possible confusion with the HCL Domino brand. The family of malware that is described in this article is unrelated to, does not impact, nor uses HCL Domino or any of its components in any way. The malware is…

15 min read

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

7 min read - In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

7 min read