The Ramnit malware (also known as Virus.Ramnit.J) as one of the most dangerous banking Trojans is known for causing numerous infections worldwide. The newly discovered Black botnet has been found to be made by the same collective. Our article gives details about the threat.
Black Botnet Crafted by The Ramnit Hackers
A dangerous new threat called the Black botnet has been reported by the security community. It was found in a large-scale attack campaign that has been active for two months — the reports indicate that there are 100 000 systems. The analysts have found that the botnet uses the same C&C servers as those used in previous attacks associated with the banking Trojan. An investigation into the server shows that it has been active since at least March 6 2018. In the beginning of the attack the hackers have used a low number of infections. It appears that its main goal is to deliver a customized version of the Ramnit Trojan.
An interesting fact is that the Black botnet encrypts the traffic between the host and the server using a RC4 cipher. There are several distinct characteristics that identify it:
- Many of the collected samples use hardcoded domain names.
- The C&C servers have been found no to upload/download additional modules.
- All additional components are bundled in a single package.
- The Ramnit banking Trojan is used to deliver another malware called Ngioweb
The actual Ngioweb malware functions as a proxy server that has devised its own binary protocols with two separate layers of encryption. There are two main modes that can be used to operate the proxy. The fact that the Ngioweb samples are being packed together with the Ramnit Trojan gives the security analysts the notion that the main distribution method is through a botnet infection or an alternative phishing email campaign.
The first one is called regular-back-connect proxy wherein it establishes a connection to a stage-1 C&C server and a remote host. This allows for data transfer in a secure manner, as well as accessing the internal resources of the network where the infected host resides.
The second type mode of operation is called Relay Proxy and it is considered more powerful. It essentially allows the Black botnet operators to build whole “chains” of proxies and hide their services behind the bot IP address.
The main premise of the Black botnet is to launch the Ngioweb malware. Once it is launched it will start numerous processes and inject itself into system-bundled or user-installed applications. The next step is to allow itself to execute arbitrary commands as requested by the operators. It will also infect the main browser used by the users. It is set to install itself as a persistent threat by manipulating the Startup settings, adding a Scheduled task and the associated Windows Registry key.
All in all this shows that the criminal collectives continue to develop new tools and methodologies to spread banking Trojans.