Skip to main content

Ramnit Trojan

Ramnit is a polymorphic banking trojan and backdoor malware that targets financial, engineering and government organisations globally.
Threat ID:
CC-1370
Category:
Spyware, Trojan
Threat Severity:
Medium
Threat Vector:
Download
Published:
27 April 2017 12:00 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

Ramnit is a polymorphic banking trojan and backdoor malware that targets financial, engineering and government organisations globally.

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

  • Microsoft Windows - All versions
  • Google Android - All versions

Threat details

First observed in 2010 acting as a computer worm and botnet, Ramnit's capabilities were continually improved until it had infected over 3 million users, and in 2011 it copied sections of the Zeus source code to add information theft abilities. In early 2015, a Europol-led operation was successful in dismantling the Ramnit botnet and arresting its original operators, despite this it resurfaced in 2016 and has been observed in a number of different campaigns since then. 

The original Ramnit variant propagated via vulnerable FTP servers or removable drives, with later versions delivered through spam or phishing campaigns, drive-by-downloads, watering hole attacks or by popular exploit kits such as Angler. Fake Android applications are also used to deliver Ramnit; the disguised files are dormant on the Android device itself but will propagate to any Windows device that is connected to it.

Once on a device, Ramnit will write itself to all available EXE, DLL, HTM and HTML files to maintain persistence and improve propagation. This makes it very difficult to remove Ramnit without completely wiping the infected device. It will then inject itself into all running processes to remain memory-resident before removing any security-related registry keys. Variants from 2014 onward are able to infect the Master Boot Record.

Ramnit's primary focus is the theft of financial or banking credentials and information, however it can also download additional malware, simulate user inputs, inject malicious code into visited websites, receive remote commands and collect user or system information. Some versions will use the Windows CreateDesktop feature to create a hidden desktop that the attacker can use to execute applications without the users knowledge.

Threat updates

Date Update
7 Aug 2018

A new malware campaign called “Black” has been seen infecting users with an updated version of Ramnit.

There are several features of this botnet:

  • Uses hardcoded domain names
  • Additional modules, such as FTPServer and WebInjects, are embedded in one package with Ramnit.
  • Enrolls infected devices into the Ngioweb botnet, which allows your device to act as a back-connect proxy and a relay proxy. 

Remediation advice

To prevent and detect a trojan infection, ensure that:

Remediation steps

Type Step
  • A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
  • All operating systems, anti-virus and other security products are kept up-to-date.
  • All day-to-day computer activities such as email and internet are performed using non-administrative accounts.
  • Strong password policies are in place.
  • Network, proxy and firewall logs should be monitored for suspicious activity.
  • User accounts accessed from affected devices should be reset on a clean computer.
  • Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

Last edited: 17 February 2020 11:37 am