Bank vault
Image from Shutterstock.com

A banking botnet that was taken down nine months ago by police in several European countries earlier this year has come back, with Canadians counting for over half the victims so far.

According to a post from IBM this morning, the Ramnit Trojan and botnet, which once spread malware from some 300 domain addresses, has a new variant and has been seen in attacks on banks and e-commerce transactions in Canada, Australia, the U.S. and Finland.

New Ramnit Emerges – Target Geo Distribution per URL Count (Source: IBM Trusteer)

(Graphic from IBM)

“The Ramnit botnet is communicating with new attack servers, employs a completely new and much shorter configuration file and uses a revamped webinjection scheme against its infected victims,” Limor Kessem, an IBM security evangelist wrote. “The new Ramnit also operates with a real-time webinjection server, selectively pulling attack schemes on the fly when infected users browse to a few major banks in Canada.”

When Ramnit was first discovered in the wild in 2010, she said, it was only the name of a worm used as an infection vector that leveraged the use of removable drives and network shares to spread to new endpoints. In 2011, Ramnit’s developers added code chunks borrowed from the leaked Zeus Trojan sources and turned it into a banking Trojan.

The new Ramnit variants discovered by IBM are identical to the previous ones in terms of their source code and behavior patterns, researchers said. The only changes are in the webinjections and the configuration file. As a number of other Trojans, like Shifu, Dridex and Neverquest, use the exact same webinjections and remote servers, IBM suspects gangs behind these are purchasing software-as-a-service (SaaS) from the same injection developer.

Typically the malware is spread through malvertising in email and social media, leveraging the Angler exploit kit.

In February Europol’s European Cybercrime Centre co-ordinated a joint international operation to take down the Ramnit botnet, which it said had infected 3.2 million computers around the world. It was led by police in Britain, authorities in Germany, Italy, the Netherlands and help from Microsoft, Symantec and AnubisNetworks.