Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

TAU-TIN - Ramnit

TAU-TIN - Ramnit

Threat Analysis Unit - Threat Intelligence Notification

Title: TAU-TIN - Ramnit
Source: https://securityintelligence.com/posts/ramnit-targets-japanese-shoppers-aiming-at-top-fashion-brands...

 

Summary

Ramnit Banking Trojan was first discovered in 2010 and is still evolving and staying actively as the second rank on the top banking trojan list in October 2019 as from the source post. It may be distributing via malvertising, exploit kit, spear-phishing campaign or others method to infect on the victim’s machines.

Ramnit1.png

                                                                                       Figure1: Ramnit overall process

This post serves to inform our customers about detection and protection capabilities within the Carbon Black suite of products against Ramnit.

 

Behavioral Summary

Upon execution of Ramnit, it will create copies of itself, randomly renamed and store under %WINDIR% (C:\Windows) or %ProgramsFiles% directory, for example “%ProgramFiles%\Microsoft\desktoplayer.exe”.

It may also create additional payload by adding ‘srv’ at the end of the original filename, for example “[malware filename]srv.exe”.

In addition, it will create the following registry key to ensure it will execute on the startup: Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit Value: c:\windows\system32\userinit.exe, %ProgramFiles%\Microsoft\desktoplayer.exe

Ramnit will need to connect to command and control (C&C) server then collect and upload sensitive information such as browser cookies, bank credentials, FTP credentials, and more data based on the requested modules which will be downloaded as .dll from C&C server. In addition, depending on the instruction from C&C server, it may download additional malicious payload to the victim’s computer and perform additional malicious activities. Ramnit will inject the malicious DLL modules into the context of legitimate system processes such as svchost.exe or web browser processes such as iexplore.exe (Shown in figure 4).

rt2.png

Figure 2: One of the Ramnit modules collecting cookies from IE, Firefox, Chrome, Opera, Safari

 

rt3.png

Figure 3: Ramnit will disable security software/services by modifying their registry key.

The identified Ramnit modules may refer to the following table: (Reference here

rt4.png

 

The following screenshot is of CB Threat Hunter process chart and part of the event logs by Ramnit.

rt5.png

Figure 4: CB Threat Hunter Process Chart

rt6.png

Figure 5: CB Threat Hunter Event Log

 

Other than that, CB Defense will display the malware’s overall triggered TTPs.

rt7.pngrt8.png

 

Indicators of Compromise (IOCs)

Indicator

Type

Context

f755edae579734f5960a7ac331b3df4e6aae3e6e340e5fbe9aeb89ed2694726a

bd19c8496017c962b9cd8508346e3878

SHA256

MD5

Ramnit (Main Installer)

fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

ff5e1f27193ce51eec318714ef038bef

SHA256

MD5

Ramnit (UPX Packed)

876C5CEA11BBBCBE4089A3D0E8F95244CF855D3668E9BF06A97D8E20C1FF237C

44e92c4b5f440b756f8fb0c9eeb460b2

SHA256

MD5

Ramnit (Unpacked)

4742490b011ca40fec59604bad953d32eae08512c513166f2cbd652f7fd6d2cb

ed362f56ad7cd9d5c4e2415436c1c129

SHA256

MD5

Ramnit (DLL)

160726b05e49f6f86983b2d945f7d691d1d9797078e4b7da4c0d7d7cba95c1d7

606215cf65fab017cff76463402a15e2

SHA256

MD5

Ramnit (DLL)

 

Labels (1)
0 Kudos
Article Information
Author:
Creation Date:
‎11-05-2019
Views:
5645