| Name | Ramnit |
| Type of Malware | Banking Trojan |
| Date of Initial Activity | 2010 |
| Motivation | Steal account credentials for online banking and additional types of credentials such as those for social media, email, and other accounts or to download and deploy other malware. |
| Attack Vectors | Phishing campaigns, as a file dropped by other malware, as a file downloaded unknowingly by users when visiting malicious sites, fake ‘tech support’ scams, and RIG Exploit Kit |
| Targeted System | Windows |
Overview
Ramnit is a modular banking Trojan first discovered in 2010. Ramnit steals web session information, giving its operators the ability to steal account credentials for all services used by the victim, including bank accounts, and corporate and social networks accounts.
The Trojan uses both hardcoded domains as well as domains generated by a DGA (Domain Generation Algorithm) to contact the C&C server and download additional modules.
Depending on particular variants, anti-virus suites can detect Ramnit as “Win32/Ramnit.A” or “Win32/Ramnit.B”. These viruses infiltrate systems without users’ consent and open “backdoors” for other malware to infiltrate the system. Therefore, its presence typically leads to further computer infections.
Targets
Targets Regular Users.Tools/ Techniques Used
Once the target falls for the initial phishing campaign and runs the malware, it downloads and executes additional malware that eventually launches the Ramnit trojan. Ramnit will then attempt to collect banking credentials and may download additional Ramnit modules or other malware to achieve the attacker’s goals.
One of the distinguishing features of the Ramnit malware is the use of both hardcoded domains and a domain generation algorithm (DGA) for command and control. Malware using a DGA generates a sequence of random-looking domains to which it sends command and control traffic.
The attacker’s command and control server runs the same DGA and registers these domains, directing the traffic to the attacker-controlled system. By using a DGA, the malware can avoid DNS blocklists because it is constantly using new, unblocked domains for its traffic.
Ramnit is capable of injecting malicious code into “.dll”, “.exe” and “.HTML” files. Note that Ramnit infects files that are already stored on the computer, and so any existing files are corrupted. Once opened, infected files execute code that stealthily downloads and installs malware onto the system.
