Organized cybercrime is known to attract the attention of international law enforcement and regional counter-cybercrime task forces. Botnet takedowns are one of the means by which police forces from around the world coordinate the disruption of digital crime.

Cases of botnet takedowns date back to a variety of spam zombie networks like Pushdo, Rustock, Grum and Simda, and they have been expanded to include the more complex task of taking down banking Trojan infrastructures.

Ramnit Gets Taken Down

So far, the truly big cases have been the GameOver Zeus botnet, which relied on an internal P2P scheme to run a more secure and resilient zombie bot army, and Shylock, which was disrupted by British police, an international consortium of law enforcement agencies and information security firms — and, of course, Ramnit. Since then, police have taken down another botnet, NgrBot (aka Dorkbot), as well.

In cases where law enforcement intervened to take down the servers and future communication domain rendezvous of banking Trojan operations, gangs did not appear to recover. This is possibly because they wanted to escape attention from law enforcement and potential legal consequences.

While spam botnets have been known to come back from the dead, banking Trojan botnets never have. Until September this year, takedown operations targeting major financial malware were widely considered the death of the operation, making the gang behind it lose touch with all its money-making zombies.

According to IBM X-Force researchers, that may have officially changed in December 2015. Not even a year after Ramnit was taken down, we are seeing what appears to be the first real re-emergence of the banking Trojan botnet. The conclusion comes from IBM X-Force malware researchers, who have found a new variant of the Ramnit banking Trojan and botnet. Both are already active in attacks on banks and e-commerce transactions in Canada, Australia, the U.S. and Finland.

The Ramnit botnet is communicating with new attack servers, employs a completely new and much shorter configuration file and uses a revamped webinjection scheme against its infected victims.

Learn why global threat intelligence is more important than ever in the fight against web fraud

Ramnit’s Past Life

When Ramnit was first discovered in the wild in 2010, it was only the name of a worm used as an infection vector that leveraged the use of removable drives and network shares to spread to new endpoints. In 2011, Ramnit’s developer took up the task of dressing this virus with code chunks borrowed from the leaked Zeus Trojan sources and turned it into a banking Trojan.

Within three years, the Ramnit Trojan gained quite a bit of momentum in its cybercrime operations. In its pre-takedown life, Ramnit was one of the top banking Trojans in the cybercrime arena, ranking fourth on the most active banking Trojan list in 2014, right under Neverquest (Vawtrak) and alongside other major gangs such as Shylock, Dyre and the Bugat (Dridex) bunch.

At the time, Ramnit primarily attacked in the U.K., U.S. and Australia. The Trojan sported a hefty configuration file replete with URL triggers that told it which banks, online transactions and social networking sites to harvest credentials from. In addition to its wanted list, Ramnit used its configuration to steer victims away from a rather exhaustive list of online anti-malware scans, antivirus websites, cybercrime information sites and security blogs. In its old configuration, the mere use of the words “cybercrime” or “police” on a victim’s part triggered a redirection effect.

Another very visible part of Ramnit’s previous configurations was the massive amount of job recruitment sites it targeted, harvesting user credentials from the sites in order to target those looking for a job and recruit them. For the victims, this would be a double-edged sword since Ramnit’s operators could also obtain all the information they put on their professional CV.

It was pretty clear that the gang behind this Trojan intended to recruit as many mules as possible in each targeted country. Mules are central to the cash-out chain of stolen funds; oftentimes, gangs will also rent out their network of money mules to other cybercriminals in need.

Back in Business

Up to this point, Ramnit was believed to be owned by one cybercrime gang and exclusively operated by one team. According to IBM X-Force Threat Intelligence, Ramnit’s source code was never openly sold or shared with other cybercriminals and it was not part of underground chatter. From what we’ve learned so far, nothing seems to point to a notable change in terms of who is behind Ramnit. It is possible that a new gang has picked the project up, but attribution remains vague in this case.

The new Ramnit variants discovered by IBM X-Force are identical to the previous ones in terms of their source code and behavior patterns. The only change in modus operandi is expressed in the webinjections and the configuration file, which are both considered to be moving parts in the inner workings of any banking Trojan. Recent findings from IBM X-Force indicated that a number of other Trojans, like Shifu, Dridex and Neverquest, have been using the exact same webinjections and remote servers, which can be indicative of gangs purchasing software-as-a-service (SaaS) from the same injection developers.

Strangely enough, Ramnit’s old configuration server is still up, sending configuration files into thin air without any bots on the other end.

The new server commands newly infected machines that are receiving Ramnit through the Angler exploit kit. It regularly updates them with configurations and executable file builds. The new Ramnit also operates with a real-time webinjection server, selectively pulling attack schemes on the fly when infected users browse to a few major banks in Canada.

What’s Next?

Ramnit has been known to mostly spread itself via malvertising campaigns that lead users to an exploit kit. At this time, it is believed to be using the Angler EK, but this is probably not the only infection tactic. Ramnit’s operators have varied their propagation campaigns in the past and may be launching them in additional forms, such as poisoned macros, email attachments and the usual worm behavior typical to this malware.

At the time of this writing, Ramnit attacked major banks in Canada, Australia, the U.S. and Finland. Judging by the previous activity of this malware, it is likely that Ramnit’s operators will spread their reach into other parts of the world in the coming months as they build their new botnet and resources.

Fighting Evolving Threats

Fighting evolving threats like the Ramnit Trojan is made easier with the right malware detection solutions. With protection layers designed to address the ever-changing threat landscape, financial organizations can benefit from malware intelligence that provides real-time insight into fraudster techniques and capabilities. Banks and service providers can use these solutions to detect infections and protect customer endpoints from threats when they emerge — or in this case, re-emerge.

Read the white paper: Stay ahead of threats with global threat intelligence

More from Banking & Finance

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

DORA and your quantum-safe cryptography migration

5 min read - Quantum computing is a new paradigm with the potential to tackle problems that classical computers cannot solve today. Unfortunately, this also introduces threats to the digital economy and particularly the financial sector.The Digital Operational Resilience Act (DORA) is a regulatory framework that introduces uniform requirements across the European Union (EU) to achieve a "high level of operational resilience" in the financial services sector. Entities covered by DORA — such as credit institutions, payment institutions, insurance undertakings, information and communication technology…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today