In January 2010, a new worm named Ramnit was spotted in the wild. A worm is a type of malware that secretly and maliciously integrates itself into a program or data files and infects more files each time the host program is run. This worm can infect Windows executable files, HTML files, office files and possibly other file types as well. This blog examines this type of worm from a financial point of view; for in-depth analysis of Ramnit’s parasitic behavior, see this Microsoft blog post.

Going Financial: Teaching an Old Dog New Tricks

Although this type of worm employs old-generation malicious techniques, we kept it on our malware radar. A few weeks ago, we started seeing something interesting. Apparently, Ramnit morphed into a financial malware — or at least was used as a platform to commit financial fraud; we’re still investigating its modular architecture. Once installed, this malware will continuously communicate with the command-and-control (C&C) server, reporting on its status and receiving configuration updates; inbound and outbound communication is over SSL (HTTPS).

Ramnit’s authors followed the standard approach of malicious financial activities, supporting all basic features required for well-bred financial malware. The malware includes a Man-in-the-Browser (MitB) Web injection module, which enables the malware to modify Web pages on the client side, modify transaction content, insert additional transactions, etc., all in a completely covert fashion invisible to both the user and host application.

Here is a sample Ramnit injection. Note the “security tip” created by the fraudsters in the injected message:

While analyzing Ramnit’s malicious activities, we noticed its configuration format is similar to the notorious Zeus and SpyEye financial malware platforms:

[set_url] [data_before][data_end] [data_inject] [data_end] [data_after] [data_end]

Ramnit consists of several independent components (see partial list below). One particular component, Zeus, caught our attention because it’s the HTMP injection engine used by Ramnit. Since the Zeus source code is available for free, and given the similarities between Zeus’ and Ramnit’s “standard financial approach” and configuration format, we suspect the malware’s authors incorporated parts of Zeus into Ramnit. We are still investigating Ramnit’s Zeus component.

Trusteer Versus Ramnit

  • Trusteer Rapport: Customers running Trusteer Rapport are not vulnerable to this attack. Rapport blocks Ramnit from entering the browser, thus rendering the malware ineffective in terms of financial fraud. Rapport also prevents machines from becoming infected with the malware.
  • Trusteer Pinpoint: In real time, Trusteer Pinpoint detects and reports Ramnit behaviors when customers whose machines are infected with the malware log in to an online banking application. This allows the bank to block the malicious activity generated by Ramnit.

Going Forward

The latest version of Ramnit consists of stand-alone modules; some are bundled with the dropper binary and some are fetched from its C&C. The following is a partial list of Ramnit components:

  • Proprietary “windows installer” (download and execute)
  • Hooker & MitB Web injects (Zeus bundle)
  • FTP Grabber
  • FTP Server
  • Cookie Grabber
  • Anti Debugging/Anti AV

Ramnit’s different components are still under investigation, as well as the malware itself. We will update this blog shortly with more findings, so stay tuned.

More from Fraud Protection

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

Remote access detection in 2023: Unmasking invisible fraud

3 min read - In the ever-evolving fraud landscape, fraudsters have shifted their tactics from using third-party devices to on-device fraud. Now, users face the rising threat of fraud involving remote access tools (RATs), while banks and fraud detection vendors struggle with new challenges in detecting this invisible threat. Let’s examine the modus operandi of fraudsters, prevalence rates across different regions, classic detection methods and Trusteer’s innovative approach to RAT detection through behavioral analysis. A rising threat As Fraud detection methods become more and…

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

The rise of malicious Chrome extensions targeting Latin America

9 min read - This post was made possible through the research contributions provided by Amir Gendler and Michael  Gal. In its latest research, IBM Security Lab has observed a noticeable increase in campaigns related to malicious Chrome extensions, targeting  Latin America with a focus on financial institutions, booking sites, and instant messaging. This trend is particularly concerning considering Chrome is one of the most widely used web browsers globally, with a market share of over 80% using the Chromium engine. As such, malicious…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today