Ramnit Banking Trojan was first discovered in 2010 and is still evolving and staying actively as the second rank on the top banking trojan list in October 2019 as from the source post. It may be distributing via malvertising, exploit kit, spear-phishing campaign or others method to infect on the victim’s machines.
Figure1: Ramnit overall process
This post serves to inform our customers about detection and protection capabilities within the Carbon Black suite of products against Ramnit.
Upon execution of Ramnit, it will create copies of itself, randomly renamed and store under %WINDIR% (C:\Windows) or %ProgramsFiles% directory, for example “%ProgramFiles%\Microsoft\desktoplayer.exe”.
It may also create additional payload by adding ‘srv’ at the end of the original filename, for example “[malware filename]srv.exe”.
In addition, it will create the following registry key to ensure it will execute on the startup: Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit Value: c:\windows\system32\userinit.exe, %ProgramFiles%\Microsoft\desktoplayer.exe
Ramnit will need to connect to command and control (C&C) server then collect and upload sensitive information such as browser cookies, bank credentials, FTP credentials, and more data based on the requested modules which will be downloaded as .dll from C&C server. In addition, depending on the instruction from C&C server, it may download additional malicious payload to the victim’s computer and perform additional malicious activities. Ramnit will inject the malicious DLL modules into the context of legitimate system processes such as svchost.exe or web browser processes such as iexplore.exe (Shown in figure 4).
Figure 2: One of the Ramnit modules collecting cookies from IE, Firefox, Chrome, Opera, Safari
Figure 3: Ramnit will disable security software/services by modifying their registry key.
The identified Ramnit modules may refer to the following table: (Reference here)
The following screenshot is of CB Threat Hunter process chart and part of the event logs by Ramnit.
Figure 4: CB Threat Hunter Process Chart
Figure 5: CB Threat Hunter Event Log
Other than that, CB Defense will display the malware’s overall triggered TTPs.