Checkpoint security experts reported that they found a massive proxy botnet, tracked as “Black” botnet, created by Ramnit developers.
Ramnit was first registered in 2010 and it is currently known as one of the most popular banking malware families. In 2011, the botnet developers improved it starting from the leaked Zeus source code and turning the malware into a banking Trojan. In 2014, the “Black” botnet became the fourth largest botnet in the world.
The next year, Europol announced the takedown of the Ramnit C2 infrastructure. However, just a few months later, the IBM security experts found a brand new version of the Ramnit Trojan.
A while ago, the researchers reported that the “Black” botnet has infected more than 100,000 devices in two months, and this is just the beginning because a second-stage malware called Ngioweb is already spreading around.
Most probably, the developers of Ramnit are using the two malware to create a large, multi-purpose proxy botnet which could be used for a number of fraudulent activities.
“Recently we discovered the Ramnit C&C server (18.104.22.168) which is not related to the previously most prevalent botnet “demetra”. According to domain names which are resolved to the IP address of this C&C server, it pretends to control even old bots, first seen back in 2015. We named this botnet “Black” due to the RC4 key value, “black”, that is used for traffic encryption in this botnet.” the Checkpoint security analysis states.
“This C&C server has actually been active since 6th March 2018 but didn’t attract attention because of the low capacity of the “black” botnet at that time. However, in May-July 2018 we detected a new Ramnit campaign with around 100,000 computers infected.”
The researchers claim that in the Black operation, the Ramnit malware is distributed via spam campaigns. The malicious code works as a first-stage malware and it is used to deliver a second-stage malware called Ngioweb.
“Ngioweb represents a multifunctional proxy server which uses its own binary protocol with two layers of encryption,” the Checkpoint analysis reads.
“The proxy malware supports back-connect mode, relay mode, IPv4, IPv6 protocols, TCP and UDP transports, with first samples seen in the second half of 2017.”
What the Ngioweb malware does, is leveraging a two-stage C&C infrastructure, where the STAGE-0 C&C server informs the malware about the STAGE-1 C&C server while the unencrypted HTTP connection is used for this purpose. The second STAGE-1 C&C server is used for controlling malware via an encrypted connection.
Ngioweb can operate in two main modes – the Regular back-connect proxy, and the Relay proxy mode. Being in the Relay proxy mode, Ngioweb lets its creators build chains of proxies and hide their services behind the IP address of a bot.