The infamous Ramnit Trojan is on the prowl again, and this time it targets personal banking customers of six unnamed UK banks.
The Trojan has not changed much since we last saw it targeting banks and e-commerce sites in Canada, Australia, the USA, and Finland in December 2015: it still uses the same encryption algorithms, and the same (but updated) data-grabbing, web-injection, and file-exfiltrating modules (the latter is after files with interesting keywords, like ‘wallet’, ‘passwords’, and bank names targeted in the configurations).
“The configuration side is where we can see that Ramnit has been preparing for the next phase, with new attack schemes built for real time web-fraud attacks targeting online banking sessions,” IBM X-Force researchers explain. “Not all attacks have to happen in real time or from the victim’s device. Ramnit’s operators can also gather credentials from infected users and use them at a later time, in account takeover fraud from other devices.”
IBM warns of the Trojan’s resurgence after X-Force researcher Ziv Eli spotted the malware’s operators have set up two new attack servers and a new command and control server.
Whether these are the same operators that developed and used Ramnit in the last six years and went into temporary hiding after, in February 2015, a coalition of European law enforcement agencies shut down C&C servers used by the RAMNIT botnet is impossible to tell.
The Trojan’s source code was never sold or shared on underground forums, and IBM researchers believe it to be either still in the hands of the original cybergang, or of another one that bought it off of them.
If past delivery techniques are used again, the Trojan will be spread via spam, malvertising and exploit kits. IBM has helpfully provided indicators of compromise for administrators to use to spot the malware.