In January 2010, a new worm named Ramnit was spotted in the wild. A worm is a type of malware that secretly and maliciously integrates itself into a program or data files and infects more files each time the host program is run. This worm can infect Windows executable files, HTML files, office files and possibly other file types as well. This blog examines this type of worm from a financial point of view; for in-depth analysis of Ramnit’s parasitic behavior, see this Microsoft blog post.

Going Financial: Teaching an Old Dog New Tricks

Although this type of worm employs old-generation malicious techniques, we kept it on our malware radar. A few weeks ago, we started seeing something interesting. Apparently, Ramnit morphed into a financial malware — or at least was used as a platform to commit financial fraud; we’re still investigating its modular architecture. Once installed, this malware will continuously communicate with the command-and-control (C&C) server, reporting on its status and receiving configuration updates; inbound and outbound communication is over SSL (HTTPS).

Ramnit’s authors followed the standard approach of malicious financial activities, supporting all basic features required for well-bred financial malware. The malware includes a Man-in-the-Browser (MitB) Web injection module, which enables the malware to modify Web pages on the client side, modify transaction content, insert additional transactions, etc., all in a completely covert fashion invisible to both the user and host application.

Here is a sample Ramnit injection. Note the “security tip” created by the fraudsters in the injected message:

While analyzing Ramnit’s malicious activities, we noticed its configuration format is similar to the notorious Zeus and SpyEye financial malware platforms:

[set_url] [data_before][data_end] [data_inject] [data_end] [data_after] [data_end]

Ramnit consists of several independent components (see partial list below). One particular component, Zeus, caught our attention because it’s the HTMP injection engine used by Ramnit. Since the Zeus source code is available for free, and given the similarities between Zeus’ and Ramnit’s “standard financial approach” and configuration format, we suspect the malware’s authors incorporated parts of Zeus into Ramnit. We are still investigating Ramnit’s Zeus component.

Trusteer Versus Ramnit

  • Trusteer Rapport: Customers running Trusteer Rapport are not vulnerable to this attack. Rapport blocks Ramnit from entering the browser, thus rendering the malware ineffective in terms of financial fraud. Rapport also prevents machines from becoming infected with the malware.
  • Trusteer Pinpoint: In real time, Trusteer Pinpoint detects and reports Ramnit behaviors when customers whose machines are infected with the malware log in to an online banking application. This allows the bank to block the malicious activity generated by Ramnit.

Going Forward

The latest version of Ramnit consists of stand-alone modules; some are bundled with the dropper binary and some are fetched from its C&C. The following is a partial list of Ramnit components:

  • Proprietary “windows installer” (download and execute)
  • Hooker & MitB Web injects (Zeus bundle)
  • FTP Grabber
  • FTP Server
  • Cookie Grabber
  • Anti Debugging/Anti AV

Ramnit’s different components are still under investigation, as well as the malware itself. We will update this blog shortly with more findings, so stay tuned.

More from Banking & Finance

How the ZeuS Trojan Info Stealer Changed Cybersecurity

4 min read - Information stealer malware is a type of malicious software designed to collect sensitive information from a victim’s computer. Also known as info stealers, data stealers or data-stealing malware, this software is true to its name: after infecting a computer or device, it’s highly adept at exfiltrating login credentials, financial information and personal data. Info stealers typically operate by monitoring keyboard input, capturing screenshots and intercepting network traffic. They may also search a hard drive for specific types of data. The…

4 min read

2022 Industry Threat Recap: Finance and Insurance

5 min read - The finance and insurance sector proved a top target for cybersecurity threats in 2022. The IBM Security X-Force Threat Intelligence Index 2023 found this sector ranked as the second most attacked, with 18.9% of X-Force incident response cases. If, as Shakespeare tells us, past is prologue, this sector will likely remain a target in 2023. Finance and insurance ranked as the most attacked sector from 2016 to 2020, with the manufacturing sector the most attacked in 2021 and 2022. What…

5 min read

How to Spot a Nefarious Cryptocurrency Platform

4 min read - Do you ever wonder if your cryptocurrency platform cashes in ransomware payments? Maybe not, but it might be worth investigating. Bitcoin-associated ransomware continues to plague companies, government agencies and individuals with no signs of letting up. And if your platform gets sanctioned, you may instantly lose access to all your funds. What exchanges or platforms do criminals use to cash out or launder ransomware payments? And what implications does this have for people who use exchanges legitimately? Blacklisted Exchanges and Mixers…

4 min read

Kronos Malware Reemerges with Increased Functionality

6 min read - The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

6 min read