The Ramnit Banking Trojan`s improvements have now been completed as security experts are observing that the latest Ramnit`s version is being distributed via better-organized attacks and oriented mostly in hitting British banks.
When it first appeared way back in 2010, Ramnit was a small Trojan with wormable features. A year later, security researchers noticed that the Ramnit`s devs had upgraded their product. By borrowing features from the leaked Zeus banking Trojan source code, they made their Trojan a dangerous threat.
Ramnit continued to evolve during the next couple of years and, by 2014, it took the 4th place in the Most Active Banking Trojans chart. It was supported by a large botnet of infected computers helping it send spam messages and do other malicious activities thanks to its modular and versatile structure.
All this didn’t go by unnoticed by law enforcement, which in February 2015, tried to take down the botnet by taking down some of its C&C servers. This action wasn’t the success they wanted it to be as, by the end of the same year, Ramnit was back in the game with its second version in development.
When the Trojan resurfaced in the beginning of 2016, its attack rate escalated targeting financial institutions in the US, Canada, Finland and Australia. Currently, according to the IBM security firm, the main target of the Trojan are UK-based banks but Ramnit`s version 2 appears to be ready for more massive distribution.
Researchers say that Ramnit has experienced a small upgrade with more features, added to broaden its attack surface. According to IBM, its data exfiltration VNC module and its data scanner component that identifies information worth stealing haven`t changed. The same goes for its module tasked with injecting malicious code in the infected victim’s browser.
“The configuration side is where we can see that Ramnit has been preparing for the next phase, with new attack schemes built for real-time fraud attacks targeting online banking sessions.” – said Limor Kessem, an IBM researcher – “Not all attacks have to happen in real time or from the victim’s device; Ramnit’s operators can also gather credentials from infected users and use them to commit account takeover fraud from other devices at a later time.”
Experts expect that, with this second version, the Trojan will go back to its strongest 2014 levels. They also assume that UK banks won`t last as its main target and it will add more countries to its blacklist in the near future.