Research for this post was facilitated by Ziv Eli.

IBM X-Force researchers recently reported that the Ramnit Trojan has relaunched, targeting six major banks in the U.K.

After a silent period of about eight months, researchers observed that Ramnit’s operators set up two new live attack servers and a new command-and-control (C&C) server. They launched an infection campaign in the U.K. and are spreading new Trojan configurations to equip the malware with webinjections designed to target personal banking users.

Ramnit Returns

Internally, the Ramnit payload does not appear to have changed in any significant way; its operation, architecture and encryption algorithms remained the same. Some parts were updated, such as the “Hooker” module, which saw some renovation and was renamed “Grabber.” Also known as a Spy Module, this module is designed to hook the browser, monitoring URL access, enabling data theft in real time and displaying webinjections to the victims.

Ramnit’s DriveScan module remained unchanged. This component enables the Trojan to scan the drive for files with interesting keywords, such as “wallet,” “passwords,” and the names of banks targeted in the configurations. Ramnit’s operators gather that extra information to ensure they don’t miss out on any financial details or credentials victims may be keeping on their endpoints.

Although Ramnit originally features a virtual network computing (VNC) module, it does not seem to deploy it immediately. Nonetheless, a VNC module can be dynamically fetched from the malware’s control server at the attacker’s discretion and launched for use at any point.

The configuration side is where we can see that Ramnit has been preparing for the next phase, with new attack schemes built for real-time fraud attacks targeting online banking sessions. Not all attacks have to happen in real time or from the victim’s device; Ramnit’s operators can also gather credentials from infected users and use them to commit account takeover fraud from other devices at a later time.

Humble Beginnings

Ramnit is an evolving, persistent banking Trojan that emerged in 2010 in the more simplistic form of a self-replicating worm. As the malware project evolved, Ramnit’s developers chose to morph it into a banking Trojan and, in 2011, Ramnit donned on-the-fly data theft modules alongside webinjection capabilities borrowed from the Zeus Trojan’s exposed source code. It has been an active banking Trojan ever since, with remote control capabilities and extensive target lists that even included mule recruitment in the past.

According to X-Force Research, this malware saw its most prolific bank fraud phase in 2014, when it was named the fourth most active financial Trojan in the world behind Dyre, Neverquest and Dridex.

Read the white paper: Accelerating growth and digital adoption with seamless identity trust

Ramn the Torpedoes

Ramnit’s activity came to halt in early 2015, when a Europol operation attempted to dismantle the project by taking down botnets operated by Ramnit’s masters. Unfortunately, Ramnit did not completely die. A few days after the takedown, some parts of the Ramnit botnet were still alive. The takedown attempt must have alerted Ramnit’s operators to the possibility that they could be captured by law enforcement, however, and activity subsequently died down for a while.

In December 2015, IBM X-Force reported renewed Ramnit activity that targeted banks and e-commerce in Canada, Australia, the U.S. and Finland. Since then, however, Ramnit servers have been silent — until now. As of July 2016, Ramnit has been preparing new attack schemes, testing, setting up an infection campaign and reconnecting the wires to mount two new attack servers.

According to X-Force threat intelligence, Ramnit appears to be operated by a private, closed cybergang. Ramnit’s source code has not been openly sold or shared with other cybercriminals, and we’ve observed no underground chatter. From what we’ve learned so far, there was no change in Ramnit’s status in that sense. It is possible that a new gang has picked the project up, but attribution remains vague.

Expanding List of Targets

Ramnit’s current targets appear to be limited to six major U.K. banks, but X-Force researchers expect the list to expand in the coming days or weeks. The malware’s operators are spreading more than one configuration out to new infected bots, with sophisticated social engineering injections and in-session fraud automation all wrapped into the same attack scheme.

Ramnit’s infection vectors in the past included malvertising and malware-laden spam. Ramnit’s operators have already used popular exploit kits, such as the Angler EK. We expect to see them reach out for the same methods in this new activity phase.

Malware IOCs

Sample MD5

  • 0784e53b2f19069ae4101440c93fb311
  • 81e5ab7fcc22193c88be5581f7062a27

U.K.-Targeting Configuration MD5

  • eb939f38861e6bbae800bbf422f66916

Antivirus engines can take a while to detect Ramnit, and in many cases do not detect it at all. Some of the aliases by top AV engines for this variant are:

  • Win32.Ramnit
  • Win32.Nimnul.a

Preventative Measures

The Ramnit banking Trojan is an evolving threat. It is designed to manipulate online banking sessions to steal user credentials and perform money transfer fraud attacks. To help stop Ramnit, banks and service providers can use adaptive malware detection solutions and protect customer endpoints with malware intelligence that provides real-time insight into fraudster techniques and capabilities.

Most cases of malware infections, including Ramnit, begin with a malware-laden spam email that lures victims into opening an attachment by indicating it is an invoice or another important document. If users are not expecting this document, their best bet is to delete the email immediately and then directly check their accounts or contact their service provider to look into the matter.

Those who frequently bank away from home are advised to never access any of their personal accounts from public computers. Online banking should be carried out from trusted devices that are protected by security solutions.

More from Advanced Threats

GootBot – Gootloader’s new approach to post-exploitation

8 min read - IBM X-Force discovered a new variant of Gootloader — the "GootBot" implant — which facilitates stealthy lateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise environments. X-Force observed these campaigns leveraging SEO poisoning, wagering on unsuspecting victims' search activity, which we analyze further in the blog. The Gootloader group’s introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2…

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Top-Ranking Banking Trojan Ramnit Out to Steal Payment Card Data

4 min read - Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

Detections That Can Help You Identify Ransomware

12 min read - One of the benefits of being part of a global research-driven incident response firm like X-Force Incidence Response (IR) is that the team has the ability to take a step back and analyze incidents, identifying trends and commonalities that span geographies, industries and affiliations. Leveraging that access and knowledge against the ransomware threat has revealed tools, techniques and procedures that can often be detected through the default Windows event logs (WELs). In particular, the X-Force IR team has identified several…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today