• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   RAMNIT: The Comeback Story of 2016

RAMNIT: The Comeback Story of 2016

  • Posted on:February 20, 2017 at 12:01 am
  • Posted in:Malware
  • Author:
    Trend Micro
0

Earlier this year, Action Fraud, the UK’s fraud and cybercrime reporting center, issued a warning that cyber criminals were taking advantage of generous individuals by sending phishing emails purportedly from Migrant Helpline, a charity organization dedicated to assisting migrants across the country. These emails contain a link that is supposed to lead to a donations page. However, instead of landing on a legitimate website, the user instead unwittingly downloads one of the most tenacious malware in the wild: the veteran Trojan known as RAMNIT, which staged a comeback in 2016.

In our 2016 roundup, we discussed how banking trojans continue to be a significant threat for organizations. According to our Smart Protection Network™ data, several RAMNIT variants were detected in several computer systems as the top banking malware by detection name for every quarter of 2016, a surprising revelation given its February 2015 takedown which saw Europol shut down several of its command-and-control servers. At the time of the Europol takedown, RAMNIT was believed to have infected up to 3.2 million users.

Given the scope of the operation, it would have been reasonable to assume that there would be a significant decrease in RAMNIT infections post-takedown. But while there was a dip in infections for February 2015, it bounced back almost immediately the next month, maintaining an infection mark of more than 10,000 for the rest of 2015. The malware was reported to have resurfaced in December 2015 and August 2016, which might account for the spikes seen in the succeeding months.

Figure 1. RAMNIT infection data for 2015 and 2016

One important point that needs to be made is that RAMNIT the malware should be distinguished from the cyber criminals responsible for its spread. We’ve already seen a similar case with DRIDEX, which was targeted by the FBI in 2015 and reemerged under similar circumstances, proving that takedowns do not necessarily correlate to a drop in infections. We can surmise that RAMNIT has grown beyond the scope of the original threat actors as seen through its continued persistence throughout 2016.

An ever-evolving threat

In 2010, we detected our earliest variant of RAMNIT, HTML_RAMNIT.ALE, which is a basic HTML Trojan that drops and executes its payload on the infected system. Its relative simplicity contrasts with VBS_RAMNIT.SMC and PE_RAMNIT, two variants we discovered in 2016 post-takedown.

Figure 2. Ramnit Infection flow

 

Figure 2: RAMNIT Infection Flow

VBS_RAMNIT.SMC executes once a user accesses the website in which it is hosted, after which it drops and executes PE_RAMNIT, a malware which is notable for having high damage potential with both backdoor and information theft capabilities. PE_RAMNIT then uses C&C communication to receive remote commands and send information such as stolen cookies and sensitive account data. It also injects malicious codes into bank webpages in order to access confidential client information from unsuspecting victims. Furthermore, PE_RAMNIT proves itself to be a stubborn malware by injecting itself into all running processes to remain memory-resident, and deleting antivirus-related registry keys to make it undetectable.

  • 32bit FTP
  • BulletproofFTP
  • ClassicFTP
  • Coffee cup ftp
  • Core ftp
  • Cute FTP
  • Directory opus
  • FFFtp
  • FileZilla
  • FlashXp
  • Fling
  • Frigate 3
  • FtpCommander
  • FtpControl
  • FtpExplorer
  • LeapFtp
  • NetDrive
  • SmartFtp
  • SoftFx FTP
  • TurboFtp
  • WebSitePublisher
  • Windows Total commander
  • WinScp
  • WS FTP

Table 1: RAMNIT attempts to steal account information used in the following installed FTP clients or file manager software

RAMNIT’s ability to evolve and spread is a key factor to its prevalence. First encountered in 2010, the original RAMNIT variant was a worm that propagated through removable drives and FTP servers. In 2011, it was discovered that RAMNIT copied portions of the Zeus source code, transforming it into a banking Trojan that stole user credentials and other personal information. Its perpetrators have also expanded the malware’s capabilities over the years, adding features such as web injection mechanisms, allowing it to compromise the websites of financial organizations.

RAMNIT’s proliferation can be attributed to its wide variety of distribution channels, which includes traditional phishing scams such as email spam and social engineering attacks. Recently, RAMNIT was also found to have been spreading via an Angler exploit kit found embedded in a compromised website, adding to its already impressive list of attack vectors. As an infector, RAMNIT can easily spread to new victims who are unable to clean up the infected files, making them prone to reinfection.

Prevention is the best cure

RAMNIT’s rise proves that users can still fall victim to “classic” threats. Not only is there a need to be extra vigilant, it is also important to implement guidelines and best practices to protect the organization against evolving threats like RAMNIT:

  • Organizations need to educate their end users on the best practices for email and social media security such as never clicking links or downloading attachments, especially if it comes from suspicious sources.
  • Network administrators should also look into shoring up their email security by implementing an effective antispam strategy, which includes optimizing their organization’s web filters and detection level thresholds. Furthermore, any suspicious emails with embedded links should be reported to the IT department for further analysis.
  • As we’ve observed in the Migrant Helpline case, the use of phishing plays a large part in RAMNIT’s spread. Users should be aware of what to look out for when it comes to the social engineering tactics used by cyber criminals to get them to click links or download files.
  • Implementing two factor authentication and managing account passwords on a regular basis will help protect users from cyber criminals who are looking to steal confidential information.

Trend Micro Solutions

Trend Micro protects users and organizations through Trend Micro™ Smart Protection™ Suites and Trend Micro™ Security, which provides comprehensive multilayered solutions, including the ability to detect malware and block malicious URLs that spread Trojans such as RAMNIT. For small businesses, they can use Trend Micro Worry-Free™ Business Security to secure their systems.

With additional insights from Nikko Tamaña

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»

Featured Stories

  • systemd Vulnerability Leads to Denial of Service on Linux
  • qkG Filecoder: Self-Replicating, Document-Encrypting Ransomware
  • Mitigating CVE-2017-5689, an Intel Management Engine Vulnerability
  • A Closer Look at North Korea’s Internet
  • From Cybercrime to Cyberpropaganda

Security Predictions for 2019

  • Our security predictions for 2019 are based on our experts’ analysis of the progress of current and emerging technologies, user behavior, and market trends, and their impact on the threat landscape. We have categorized them according to the main areas that are likely to be affected, given the sprawling nature of the technological and sociopolitical changes under consideration.
    Read our security predictions for 2019.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Monero Miner-Malware Uses RADMIN, MIMIKATZ to Infect, Propagate via Vulnerability
  • February Patch Tuesday: Batch Includes 77 Updates That Cover Flaws in Internet Explorer, Exchange Server, and DHCP Server
  • Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire
  • Windows App Runs on Mac, Downloads Info Stealer and Adware
  • Linux Coin Miner Copied Scripts From KORKERDS, Removes All Other Malware and Miners

Popular Posts

  • Going In-depth with Emotet: Multilayer Operating Mechanisms
  • February Patch Tuesday: Batch Includes 77 Updates That Cover Flaws in Internet Explorer, Exchange Server, and DHCP Server
  • Various Google Play ‘Beauty Camera’ Apps Send Users Pornographic Content, Redirect Them to Phishing Websites and Collect Their Pictures
  • Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire
  • Linux Coin Miner Copied Scripts From KORKERDS, Removes All Other Malware and Miners

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.