The Return of Ramnit: Life After a Law Enforcement Takedown

Organized cybercrime is known to attract the attention of international law enforcement and regional counter-cybercrime task forces. Botnet takedowns are one of the means by which police forces from around the world coordinate the disruption of digital crime.

Cases of botnet takedowns date back to a variety of spam zombie networks like Pushdo, Rustock, Grum and Simda, and they have been expanded to include the more complex task of taking down banking Trojan infrastructures.

Ramnit Gets Taken Down

So far, the truly big cases have been the GameOver Zeus botnet, which relied on an internal P2P scheme to run a more secure and resilient zombie bot army, and Shylock, which was disrupted by British police, an international consortium of law enforcement agencies and information security firms — and, of course, Ramnit. Since then, police have taken down another botnet, NgrBot (aka Dorkbot), as well.

In cases where law enforcement intervened to take down the servers and future communication domain rendezvous of banking Trojan operations, gangs did not appear to recover. This is possibly because they wanted to escape attention from law enforcement and potential legal consequences.

While spam botnets have been known to come back from the dead, banking Trojan botnets never have. Until September this year, takedown operations targeting major financial malware were widely considered the death of the operation, making the gang behind it lose touch with all its money-making zombies.

According to IBM X-Force researchers, that may have officially changed in December 2015. Not even a year after Ramnit was taken down, we are seeing what appears to be the first real re-emergence of the banking Trojan botnet. The conclusion comes from IBM X-Force malware researchers, who have found a new variant of the Ramnit banking Trojan and botnet. Both are already active in attacks on banks and e-commerce transactions in Canada, Australia, the U.S. and Finland.

New Ramnit Emerges – Target Geo Distribution per URL Count (Source: IBM Trusteer)

The Ramnit botnet is communicating with new attack servers, employs a completely new and much shorter configuration file and uses a revamped webinjection scheme against its infected victims.

Learn why global threat intelligence is more important than ever in the fight against web fraud

Ramnit’s Past Life

When Ramnit was first discovered in the wild in 2010, it was only the name of a worm used as an infection vector that leveraged the use of removable drives and network shares to spread to new endpoints. In 2011, Ramnit’s developer took up the task of dressing this virus with code chunks borrowed from the leaked Zeus Trojan sources and turned it into a banking Trojan.

Within three years, the Ramnit Trojan gained quite a bit of momentum in its cybercrime operations. In its pre-takedown life, Ramnit was one of the top banking Trojans in the cybercrime arena, ranking fourth on the most active banking Trojan list in 2014, right under Neverquest (Vawtrak) and alongside other major gangs such as Shylock, Dyre and the Bugat (Dridex) bunch.

Ramnit's Global Ranking in 2015 Versus 2014 (Source: IBM Trusteer)

At the time, Ramnit primarily attacked in the U.K., U.S. and Australia. The Trojan sported a hefty configuration file replete with URL triggers that told it which banks, online transactions and social networking sites to harvest credentials from. In addition to its wanted list, Ramnit used its configuration to steer victims away from a rather exhaustive list of online anti-malware scans, antivirus websites, cybercrime information sites and security blogs. In its old configuration, the mere use of the words “cybercrime” or “police” on a victim’s part triggered a redirection effect.

Another very visible part of Ramnit’s previous configurations was the massive amount of job recruitment sites it targeted, harvesting user credentials from the sites in order to target those looking for a job and recruit them. For the victims, this would be a double-edged sword since Ramnit’s operators could also obtain all the information they put on their professional CV.

It was pretty clear that the gang behind this Trojan intended to recruit as many mules as possible in each targeted country. Mules are central to the cash-out chain of stolen funds; oftentimes, gangs will also rent out their network of money mules to other cybercriminals in need.

Back in Business

Up to this point, Ramnit was believed to be owned by one cybercrime gang and exclusively operated by one team. According to IBM X-Force Threat Intelligence, Ramnit’s source code was never openly sold or shared with other cybercriminals and it was not part of underground chatter. From what we’ve learned so far, nothing seems to point to a notable change in terms of who is behind Ramnit. It is possible that a new gang has picked the project up, but attribution remains vague in this case.

The new Ramnit variants discovered by IBM X-Force are identical to the previous ones in terms of their source code and behavior patterns. The only change in modus operandi is expressed in the webinjections and the configuration file, which are both considered to be moving parts in the inner workings of any banking Trojan. Recent findings from IBM X-Force indicated that a number of other Trojans, like Shifu, Dridex and Neverquest, have been using the exact same webinjections and remote servers, which can be indicative of gangs purchasing software-as-a-service (SaaS) from the same injection developers.

Strangely enough, Ramnit’s old configuration server is still up, sending configuration files into thin air without any bots on the other end.

The new server commands newly infected machines that are receiving Ramnit through the Angler exploit kit. It regularly updates them with configurations and executable file builds. The new Ramnit also operates with a real-time webinjection server, selectively pulling attack schemes on the fly when infected users browse to a few major banks in Canada.

What’s Next?

Ramnit has been known to mostly spread itself via malvertising campaigns that lead users to an exploit kit. At this time, it is believed to be using the Angler EK, but this is probably not the only infection tactic. Ramnit’s operators have varied their propagation campaigns in the past and may be launching them in additional forms, such as poisoned macros, email attachments and the usual worm behavior typical to this malware.

At the time of this writing, Ramnit attacked major banks in Canada, Australia, the U.S. and Finland. Judging by the previous activity of this malware, it is likely that Ramnit’s operators will spread their reach into other parts of the world in the coming months as they build their new botnet and resources.

Fighting Evolving Threats

Fighting evolving threats like the Ramnit Trojan is made easier with the right malware detection solutions. With protection layers designed to address the ever-changing threat landscape, financial organizations can benefit from malware intelligence that provides real-time insight into fraudster techniques and capabilities. Banks and service providers can use these solutions to detect infections and protect customer endpoints from threats when they emerge — or in this case, re-emerge.

Read the white paper: Stay ahead of threats with global threat intelligence

Share this Article:
Limor Kessem

Executive Security Advisor, IBM

Limor Kessem is one of the top cyber intelligence experts at IBM Security. She is a seasoned security advocate, public speaker, and a regular blogger on the cutting-edge IBM Security Intelligence blog. Limor comes to IBM from organizations like RSA Security, where she spent 5 years as part of the RSA research labs and drove the FraudAction blog on RSA's Speaking of Security. She also served as the Marketing Director of Big Data analytics startup ThetaRay, where she created the company's cybersecurity thought leadership. Limor is considered an authority on emerging cybercrime threats. She participated as a highly appreciated speaker on live InfraGard New York webcasts (an FBI collaboration), spoke in RSA events worldwide, conducts live webinars on all things fraud and cybercrime, and writes a large variety of threat intelligence  publications. With her unique position at the intersection of multiple research teams at IBM, and her fingers on the pulse of current day threats, Limor covers the full spectrum of trends affecting consumers, corporations, and the industry as a whole. On the social side, Limor tweets security items as @iCyberFighter and is an avid Brazilian Jiu Jitsu fighter.