Ramnit’s revival is now complete as security researchers are starting to see more coordinated attacks spreading the banking trojan’s latest version, with the vast majority of targets being banks from the UK.
Ramnit appeared in 2010, but in the beginning was only a small trojan with wormable features.
It evolved into a dangerous threat in 2011 when security researchers saw Ramnit’s developers add capabilities usually seen in banking trojans when they slowly began adding features from the leaked Zeus banking trojan source code.
Ramnit v1’s botnet was taken down in February 2015
As time went by, Ramnit evolved, and by 2014, the trojan was the fourth most active banking trojan on the market, supported by a huge botnet of infected PCs that helped it send spam and perform other sorts of illegal activities thanks to Ramnit’s modular and versatile structure.
This success drew the attention of law enforcement, which in February 2015 sinkholed some of Ramnit’s C&C servers in an attempt to take down the botnet.
Things didn’t turn out as they hoped, because by November and December of 2015, the trojan as back in action, with its developers already working on an early v2.
Ramnit v2 surfaces online, currently focuses on the UK
As 2016 came along, attacks intensified and Ramnit attacks slowly picked up steam once more. Early attacks targeted banks in Canada, Australia, the US and Finland.
According to IBM, current attacks only focus on UK banks, but version 2.0 of Ramnit seems to be ready for widespread distribution.
The trojan has undergone a small facelift, not major, but added more features to broaden its attack surface.
IBM reports that its module tasked with injecting malicious code in the infected victim’s browser has remained the same, as well as its data exfiltration VNC module, and its data scanner component that identifies information worth stealing.
“The configuration side is where we can see that Ramnit has been preparing for the next phase, with new attack schemes built for real-time fraud attacks targeting online banking sessions,” Limor Kessem, IBM researcher explains. “Not all attacks have to happen in real time or from the victim’s device; Ramnit’s operators can also gather credentials from infected users and use them to commit account takeover fraud from other devices at a later time.”
As Ramnit v2 development reaches its final phases, expect Ramnit spam and exploit kit development to intensify once more, possibly at the levels seen in 2014, and expand the target list to include more countries.