Ramnit Rears Its Ugly Head Again, Targets Major UK Banks
IBM X-Force researchers recently reported that the
Ramnit Trojan has relaunched, targeting six major banks in the U.K.
After a silent period of about eight months,
researchers observed that Ramnit’s operators set up two new live attack servers
and a new command-and-control (C&C) server. They launched an infection
campaign in the U.K. and are spreading new Trojan configurations to equip the
malware with webinjections designed to target personal banking users.
Ramnit Returns
Internally, the Ramnit payload does not appear to
have changed in any significant way; its operation, architecture and encryption
algorithms remained the same. Some parts were updated, such as the “Hooker”
module, which saw some renovation and was renamed “Grabber.” Also known as a
Spy Module, this module is designed to hook the browser, monitoring URL access,
enabling data theft in real time and displaying webinjections to the victims.
Ramnit’s DriveScan module remained unchanged. This
component enables the Trojan to scan the drive for files with interesting
keywords, such as “wallet,” “passwords,” and the names of banks targeted in the
configurations. Ramnit’s operators gather that extra information to ensure they
don’t miss out on any financial details or credentials victims may be keeping
on their endpoints.
Although Ramnit originally features a virtual
network computing (VNC) module, it does not seem to deploy it immediately.
Nonetheless, a VNC module can be dynamically fetched from the malware’s control
server at the attacker’s discretion and launched for use at any point.
The configuration side is where we can see that
Ramnit has been preparing for the next phase, with new attack schemes built for
real-time fraud attacks targeting online banking sessions. Not all attacks have
to happen in real time or from the victim’s device; Ramnit’s operators can also
gather credentials from infected users and use them to commit account takeover
fraud from other devices at a later time.
This research was part of my work with IBM
X-Force. Read the rest of this post here.
Comments
Post a Comment