Beware online Bankers! Ramnit Botnet is back!

European law enforcement disrupted a botnet named “Ramnit” in February. This botnet is back once again and it is targeting online banking all around the world.

A new variety of the popular Ramnit Trojan has been found by security researchers at IBM. This botnet was composed by approx 3 Million computers all around the world this year and the Law enforcement agencies of European countries had take over on it. This time this botnet is back with new malicious infrastructure as compare to old one. It is more harmful.

In 2010 it was first spotted as a worm. After that its authors made changes in its code and it became a banking Trojan in 2011. It was most successful in 2014 and at time it became the fourth harmful and largest botnet in the world. It was not end of it and it is back once again.

Limor Kessem cyber intelligence expert at IBM wrote in a blog,” According to the IBM researchers which may have officially changed in 2015, In February Law enforcement agencies take over this Trojan and it is back once again. Not even a complete year have been passed yet. This Banking Trojan came with new source codes and scripts which are not easy to understand even by experts”.

This version of Ramnit botnet is using a different C&C (Command and Control) infrastructure. More than half of the infected machines by it are available in Canada which has been followed by US, Australia and Finland, experts said.

How it works?

It uses files which are short configured as the all other Threats like shifu and Dridex. It also implements the web injections mechanisms like other Trojans. IBM spotted the source code of this new Ramnit botnet which is quite similar to the others. Researchers said that cybercriminal groups are using web injection mechanism behind this mechanism. Criminals are injecting this Trojan in banking websites by using a remote server, experts said.

Configuration file and changes in its codes are two major moving parts in the inner working of any banking Trojans. Same Web injection and remote server have been used by the cybercriminals behind Ramnit botnet, which were firstly used by the other Trojans like Neverquest, Dridex and Shifu. So it indicates that criminals are buying these types of malicious codes from the developers of old Trojans, IBM X-force said. Experts notice that the popular Angler exploit kit is campaigning all this process including malvertising. Experts also noticed many other infection vectors.

Machines are receiving Ramnit Botnet through the Angler Exploit Kit which regularly updates the commands used by this Trojan with its configuration and .exe files. Real time web injection servers are also included in this process which are applying attack procedure on the infected machine’s users while the browse the websites of some major banks in Canada. Only a single cybercriminal group was working behind the old Ramnit botnet and they had never sold the source code.

Limor Kessem also told that there are not any bigger changes in this new Ramnit botnet, it seems like a new criminal crew has picked the project up. The motive of the criminal gang is same. It is only limited in Canada right now but experts are saying that criminals will expand this operation to other countries too.