pixel_dreams - Fotolia

Ramnit Trojan targeting UK banks reactivated

IBM X-Force researchers advise banks to use adaptive malware detection and real-time endpoint malware intelligence to counter the latest evolution of Ramnit banking malware

The Ramnit banking Trojan has relaunched its cyber crime attack activity, targeting six major banks in the UK, according to IBM X-Force researchers.

The malware – which enables criminals to disable antivirus protection, take control of computers and access users’ passwords, banking information and other personal data – first emerged in 2010 and has survived attempts to shut it down.

Ramnit is also continually evolving. Starting out as a self-replicating worm, the malware was morphed into a banking Trojan, acquiring on-the-fly data theft modules and web injection capabilities borrowed from the Zeus Trojan’s exposed source code in 2011.

Broadly, Ramnit is designed to manipulate online banking sessions to steal user credentials and perform money transfer fraud attacks.

According to X-Force Research, the malware’s most prolific bank fraud phase was in 2014, when it was named the world’s fourth most active financial Trojan after Dyre, Neverquest and Dridex.

In February 2015, the UK’s National Crime Agency (NCA) and other European crime agencies shut down servers used by the Ramnit botnet.

But after a few days, security researchers reported that some parts of the Ramnit botnet were still alive, although the cyber criminals behind it decided to lie low.

Then, in December 2015, IBM X-Force reported renewed Ramnit activity targeting banks and e-commerce in Canada, Australia, the US and Finland.

Again Ramnit servers fell silent, but after eight months, its operators have set up two new, live attack servers and a new command and control server, the researchers have found.

Infection campaign

The attackers have also launched an infection campaign in the UK, and are spreading new Trojan configurations to equip the malware with web-injections designed to target mainly personal banking customers.

Internally, IBM X-Force said the Ramnit payload does not appear to have changed in any significant way, with its operation, architecture and encryption algorithms remaining the same.

However, some parts were updated, such as the Hooker module, which saw some renovation and was renamed Grabber. Also known as a Spy Module, this module is designed to hook the browser, monitoring URL access, enabling data theft in real time and displaying web-injections to the victims.

Ramnit’s DriveScan module also remained unchanged. “This component enables the Trojan to scan the drive for files with interesting keywords, such as ‘wallet’ and the names of banks targeted in the configurations,” said Limor Kessem, executive security adviser at IBM.

“Ramnit’s operators gather that extra information to ensure they don’t miss out on any financial details or credentials that victims may be keeping on their endpoints,” she wrote in a blog post.

VNC module

Although Ramnit features a virtual network computing (VNC) module, the researchers found it does not seem to deploy it immediately. Nonetheless, a VNC module can be dynamically fetched from the malware’s control server at the attacker’s discretion and launched for use at any point, they said.

But the configuration side is where Ramnit authors appear to be preparing for the next phase, with new attack schemes built for real-time fraud attacks targeting online banking sessions, the researchers said.

“Not all attacks have to happen in real time or from the victim’s device,” said Kessem. “Ramnit’s operators can also gather credentials from infected users and use them to commit account takeover fraud from other devices at a later time.”

According to X-Force threat intelligence, Ramnit appears to be operated by a private, closed cyber gang as Ramnit’s source code has not been openly sold or shared with other cyber criminals.

“From what we have learned so far, there was no change in Ramnit’s status in that sense,” said Kessem. “It is possible that a new gang has picked the project up, but attribution remains vague.”

Ramnit’s current targets appear to be limited to six major UK banks, but X-Force researchers expect the list to grow in the coming days or weeks.

Read more about Ramnit

The malware’s operators are spreading more than one configuration out to new infected bots, with sophisticated social engineering injections and in-session fraud automation all wrapped into the same attack scheme, the researchers said.

In the past, Ramnit has been spread in a variety of ways, including malvertising and malware-laden spam, and Ramnit’s operators have already used popular exploit kits, such as Angler.

To help stop Ramnit, X-Force researchers said banks and service providers could use adaptive malware detection systems and protect customer endpoints with malware intelligence that provides real-time insight into fraudster techniques and capabilities.

Users of online banking can protect themselves best by deleting any unexpected emails because most cases of malware infections, including Ramnit, begin with a malware-laden spam email that lures victims into opening an attachment.

Those who frequently bank away from home are also advised to never access any of their personal accounts from public computers.

“Online banking should be carried out from trusted devices that are protected by security solutions,” said Kessem.

Read more on Hackers and cybercrime prevention