Ramnit Malware Makes a Return with New Tricks

Sep 18, 2019 | by Heidi Bleau

Financial malware attacks increase 80 percent in the first half of 2019, and one of the culprits turns out to be an old favorite for fraudsters: The Ramnit Trojan. First detected in 2010, this banking Trojan reappears in new guises every few years to target financial institutions and their customers. Europol led a coordinated takedown effort in Europe in 2015, but Ramnit developers have continued to evolve its capabilities since that time.

Fraudsters don’t always have to create new malware from scratch; they can just bring back old strains in the form of new variations, changing how they work and how they are delivered. Ramnit is a great example of how fraudsters adapt malware over long periods to pose an increasingly sophisticated threat.  The latest RSA® Quarterly Fraud Report explores the evolution of Ramnit and its recent changes in functionality, targets and methods of distribution. 

Ramnit was originally designed to attack bank accounts by infecting PCs and using them as proxy servers for malicious activity, but analysts in the RSA® Anti-Fraud Command Center have detected several major changes in what Ramnit does, who it targets and how it spreads.

What it does: Previously, Ramnit operated as a botnet, infecting computers, turning them into bots and using them to spread itself to other computers. But based on RSA-observed activity in the last year, the malware’s current objective is to steal credentials via web injects that trick people into providing confidential information.

Who it targets: While Ramnit is best known for focusing on the banking industry in North America and Europe, RSA has recently seen it targeting Japanese entities.

How it spreads: Ramnit was originally distributed using worm capabilities, but it is now distributed via executable files that are downloaded and executed by an unwitting user. RSA has specifically found it distributed by malspam (malware spam via email), with victims downloading it, for example, by clicking on an ad on an insecure website.

Ramnit isn’t the only malware to evolve and adapt to exploit current trends, and it won’t be the last. Remember, it wasn’t that long ago that RSA saw fraudsters turning to Telegram bots to automate their efforts and distributing BankBot malware via rogue WhatsApp apps. Similarly, Ramnit has posed a threat for nearly a decade by constantly shifting its attention to new targets and means of attack that seem promising.

It’s not only financial malware, however, that causes headaches for fraud prevention and security teams.  The total number of global fraud attacks detected by RSA increased 63 percent in the first half of the year. The breakdown by attack types and their respective increase follows:

  • Phishing increased 6 percent.
  • Fraud and brand abuse attacks involving social media increased 37 percent.
  • Fraud and brand abuse attacks affiliated with rogue mobile apps increased 191 percent.

Fraud is only one of the many risks that organizations must contend with as they look towards a digital future.  It is not, however, limited to mostly phishing and malware anymore.  Social media and mobile applications have provided fraudsters with new channels to exploit and an expanded digital frontier with which to target consumers.  Many organizations are just starting to enter the digital arms race and have a ways to go to catch up.

# # #

Did you know: The average value of a CNP fraud transaction in the U.S. was $352, nearly 50 percent higher than that of an average genuine transaction of $220. Get more global fraud facts in the latest RSA® Quarterly Fraud Report: Q2 2019

Join the #TalkingDigitalRisk conversation on Twitter and social media by following @RSAsecurity

Author: Heidi Bleau

Category: RSA Fundamentals, Blog Post

Keywords: Fraud, Card Not Present Fraud, Fraud Prevention, Fraud Detection