Monday, May 23, 2022

Canadians are most of the victims as banking Trojan returns

A banking botnet that was taken down nine months ago by police in several European countries earlier this year has come back, with Canadians counting for over half the victims so far.

According to a post from IBM this morning, the Ramnit Trojan and botnet, which once spread malware from some 300 domain addresses, has a new variant and has been seen in attacks on banks and e-commerce transactions in Canada, Australia, the U.S. and Finland.

New Ramnit Emerges – Target Geo Distribution per URL Count (Source: IBM Trusteer)

(Graphic from IBM)

“The Ramnit botnet is communicating with new attack servers, employs a completely new and much shorter configuration file and uses a revamped webinjection scheme against its infected victims,” Limor Kessem, an IBM security evangelist wrote. “The new Ramnit also operates with a real-time webinjection server, selectively pulling attack schemes on the fly when infected users browse to a few major banks in Canada.”

When Ramnit was first discovered in the wild in 2010, she said, it was only the name of a worm used as an infection vector that leveraged the use of removable drives and network shares to spread to new endpoints. In 2011, Ramnit’s developers added code chunks borrowed from the leaked Zeus Trojan sources and turned it into a banking Trojan.

The new Ramnit variants discovered by IBM are identical to the previous ones in terms of their source code and behavior patterns, researchers said. The only changes are in the webinjections and the configuration file. As a number of other Trojans, like Shifu, Dridex and Neverquest, use the exact same webinjections and remote servers, IBM suspects gangs behind these are purchasing software-as-a-service (SaaS) from the same injection developer.

Typically the malware is spread through malvertising in email and social media, leveraging the Angler exploit kit.

In February Europol’s European Cybercrime Centre co-ordinated a joint international operation to take down the Ramnit botnet, which it said had infected 3.2 million computers around the world. It was led by police in Britain, authorities in Germany, Italy, the Netherlands and help from Microsoft, Symantec and AnubisNetworks.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.