Organized cybercrime is known to attract the attention of international law enforcement and regional counter-cybercrime task forces. Botnet takedowns are one of the means by which police forces from around the world coordinate the disruption of digital crime.

Cases of botnet takedowns date back to a variety of spam zombie networks like Pushdo, Rustock, Grum and Simda, and they have been expanded to include the more complex task of taking down banking Trojan infrastructures.

Ramnit Gets Taken Down

So far, the truly big cases have been the GameOver Zeus botnet, which relied on an internal P2P scheme to run a more secure and resilient zombie bot army, and Shylock, which was disrupted by British police, an international consortium of law enforcement agencies and information security firms — and, of course, Ramnit. Since then, police have taken down another botnet, NgrBot (aka Dorkbot), as well.

In cases where law enforcement intervened to take down the servers and future communication domain rendezvous of banking Trojan operations, gangs did not appear to recover. This is possibly because they wanted to escape attention from law enforcement and potential legal consequences.

While spam botnets have been known to come back from the dead, banking Trojan botnets never have. Until September this year, takedown operations targeting major financial malware were widely considered the death of the operation, making the gang behind it lose touch with all its money-making zombies.

According to IBM X-Force researchers, that may have officially changed in December 2015. Not even a year after Ramnit was taken down, we are seeing what appears to be the first real re-emergence of the banking Trojan botnet. The conclusion comes from IBM X-Force malware researchers, who have found a new variant of the Ramnit banking Trojan and botnet. Both are already active in attacks on banks and e-commerce transactions in Canada, Australia, the U.S. and Finland.

The Ramnit botnet is communicating with new attack servers, employs a completely new and much shorter configuration file and uses a revamped webinjection scheme against its infected victims.

Learn why global threat intelligence is more important than ever in the fight against web fraud

Ramnit’s Past Life

When Ramnit was first discovered in the wild in 2010, it was only the name of a worm used as an infection vector that leveraged the use of removable drives and network shares to spread to new endpoints. In 2011, Ramnit’s developer took up the task of dressing this virus with code chunks borrowed from the leaked Zeus Trojan sources and turned it into a banking Trojan.

Within three years, the Ramnit Trojan gained quite a bit of momentum in its cybercrime operations. In its pre-takedown life, Ramnit was one of the top banking Trojans in the cybercrime arena, ranking fourth on the most active banking Trojan list in 2014, right under Neverquest (Vawtrak) and alongside other major gangs such as Shylock, Dyre and the Bugat (Dridex) bunch.

At the time, Ramnit primarily attacked in the U.K., U.S. and Australia. The Trojan sported a hefty configuration file replete with URL triggers that told it which banks, online transactions and social networking sites to harvest credentials from. In addition to its wanted list, Ramnit used its configuration to steer victims away from a rather exhaustive list of online anti-malware scans, antivirus websites, cybercrime information sites and security blogs. In its old configuration, the mere use of the words “cybercrime” or “police” on a victim’s part triggered a redirection effect.

Another very visible part of Ramnit’s previous configurations was the massive amount of job recruitment sites it targeted, harvesting user credentials from the sites in order to target those looking for a job and recruit them. For the victims, this would be a double-edged sword since Ramnit’s operators could also obtain all the information they put on their professional CV.

It was pretty clear that the gang behind this Trojan intended to recruit as many mules as possible in each targeted country. Mules are central to the cash-out chain of stolen funds; oftentimes, gangs will also rent out their network of money mules to other cybercriminals in need.

Back in Business

Up to this point, Ramnit was believed to be owned by one cybercrime gang and exclusively operated by one team. According to IBM X-Force Threat Intelligence, Ramnit’s source code was never openly sold or shared with other cybercriminals and it was not part of underground chatter. From what we’ve learned so far, nothing seems to point to a notable change in terms of who is behind Ramnit. It is possible that a new gang has picked the project up, but attribution remains vague in this case.

The new Ramnit variants discovered by IBM X-Force are identical to the previous ones in terms of their source code and behavior patterns. The only change in modus operandi is expressed in the webinjections and the configuration file, which are both considered to be moving parts in the inner workings of any banking Trojan. Recent findings from IBM X-Force indicated that a number of other Trojans, like Shifu, Dridex and Neverquest, have been using the exact same webinjections and remote servers, which can be indicative of gangs purchasing software-as-a-service (SaaS) from the same injection developers.

Strangely enough, Ramnit’s old configuration server is still up, sending configuration files into thin air without any bots on the other end.

The new server commands newly infected machines that are receiving Ramnit through the Angler exploit kit. It regularly updates them with configurations and executable file builds. The new Ramnit also operates with a real-time webinjection server, selectively pulling attack schemes on the fly when infected users browse to a few major banks in Canada.

What’s Next?

Ramnit has been known to mostly spread itself via malvertising campaigns that lead users to an exploit kit. At this time, it is believed to be using the Angler EK, but this is probably not the only infection tactic. Ramnit’s operators have varied their propagation campaigns in the past and may be launching them in additional forms, such as poisoned macros, email attachments and the usual worm behavior typical to this malware.

At the time of this writing, Ramnit attacked major banks in Canada, Australia, the U.S. and Finland. Judging by the previous activity of this malware, it is likely that Ramnit’s operators will spread their reach into other parts of the world in the coming months as they build their new botnet and resources.

Fighting Evolving Threats

Fighting evolving threats like the Ramnit Trojan is made easier with the right malware detection solutions. With protection layers designed to address the ever-changing threat landscape, financial organizations can benefit from malware intelligence that provides real-time insight into fraudster techniques and capabilities. Banks and service providers can use these solutions to detect infections and protect customer endpoints from threats when they emerge — or in this case, re-emerge.

Read the white paper: Stay ahead of threats with global threat intelligence

More from Banking & Finance

How to Spot a Nefarious Cryptocurrency Platform

Do you ever wonder if your cryptocurrency platform cashes in ransomware payments? Maybe not, but it might be worth investigating. Bitcoin-associated ransomware continues to plague companies, government agencies and individuals with no signs of letting up. And if your platform gets sanctioned, you may instantly lose access to all your funds. What exchanges or platforms do criminals use to cash out or launder ransomware payments? And what implications does this have for people who use exchanges legitimately? Blacklisted Exchanges and Mixers…

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

Why Cybersecurity Risk Assessment Matters in the Banking Industry

When customers put money in a bank, they need to trust it will stay there. Because of the high stakes involved for the customer, such as financial loss, and how long it takes to resolve fraud and potential identity theft, customers are sensitive to the security of the bank as well as fraud prevention measures. Banks that experience high volumes of fraud are likely to lose customers and revenue. The key is to protect customers and their accounts before problems…

Cost of a Data Breach: Banking and Finance

The importance of cybersecurity has touched almost every industry. Beyond that, robust cybersecurity is table stakes for several sectors, particularly health care and the banking and finance industry. Not only is financial data at risk, but so is customer trust. In banking and finance, trust means everything. Yet, consumers are hesitant to share their confidential data. A recent McKinsey survey revealed that no industry achieved a trust rating of 50% for data protection. Here’s the most sobering stat: 87% of…