Updated Ramnit Trojan Spreads Through Android App

The Ramnit Trojan attacks targets through an Android app posing as a Facebook Messenger alternative, learn how to delete infections by reading our removal guide.

Ramnit Trojan Continues To Spread

The last incident associated with this particular virus was the large-scale campaign against UK banks. The hackers behind the intrusion attempts used spam email messages with file attachments that pose as documents of interest such as contracts, invoices and statements. The used version integrated in itself an advanced banking Trojan which is capable of capturing keystrokes from the victims as well as manipulating their systems with the intent of stealing sensitive account credentials. Two live attack servers and an active C&C station were identified as being part of the attack. The personal bank accounts were compromised using clever overlays that were manipulated using web injection code.

One of the most dangerous features available in the virus engine is its advanced spy module. It includes a browser hijacker module which can both endanger the privacy of the victims and steal their data. It monitors their web activity and hijacks all stored cookies, browsing history, site interaction, bookmarks and other related data. The developers of the Ramnit trojan have made sure that this module is compatible with the most popular browsers – Mozilla Firefox, Google Chrome, Internet Explorer and Microsoft Edge. A VNC module is also integrated into the virus engine which allows remote control of machine at will.

Ramnit Infects Through A Fake Facebook Messenger Android App

The virus has been discovered in a recent malware campaign that uses a counterfeit Android app. It is titled “Messenger super lite free” and poses as an alternative to the official Facebook Messenger application. Its description lists only its superficial features which are listed in bullet points with the intent of tricking the victims into installing it:

Features:

– Saves up to 90% of data on use

– Clean design

– Very low app size, less then 2 MB

– Works great even on 2g networks

– Free and always will be.

The installation triggers a Visual Basic script which automatically leads to the payload delivery of the malware. If the user connects his device to a computer then the infection will automatically start. The virus follows a precise predefined behavior pattern:

  1. The virus copies itself to several locations in the first stage of the malware attack. The following locations have been identified with the strain:
    %ProgramFiles%\Microsoft\WaterMark.exe
    %CommonProgramFiles%\Microsoft\WaterMark.exe
    %AppData%\Microsoft\WaterMark.exe
    %System%\Microsoft\WaterMark.exe
    %WinDir%\Microsoft\WaterMark.exe
    %Temp%\Microsoft\WaterMark.exe

%Homedrive%%Homepath%\Microsoft\WaterMark.exe

  1. The virus creates a registry entry at the following location which maintains a persistent state of infection:
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

    “Userinit” = “%originalvalue%, %malwarefolder%\Microsoft\WaterMark.exe”

  2. The Ramnit Trojan virus engine runs its own threat in the svchost.exe system process.

  3. Local files with the EXE and DLL extensions are infected with the virus code. Its interesting to note that files that contain the ‘RMNetwork‘ string are excluded from infection. The total size of the injected code is 53 KB and its intended purpose is to execute the malware infection upon execution of the compromised data.

The Ramnit banking Trojan has been identified with the following features:

  • The virus engine can receive commands from the remote attackers through the available C&C infrastructure.

  • The Trojan component can capture screenshots from the compromised computers at will. This is used to spy on the users and their activity.

  • The keylogger functionality is able to hijack the keystrokes entered by the victims. The harvested data can include accounts and other private information.

  • All information is sent to the attackers via the available C&C infrastructure.

  • The virus engine can deliver additional malware. The hackers can make the infected hosts download arbitrary files from remote servers and then execute them.

  • Arbitrary code and programs can be executed according to the instructions sent to the infected machines.

  • Power events such as computer restart, shut down and hibernation can be initiated.

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

The Ramnit Trojan Exploits The CVE-2010-2568 Vulnerability

The infection route identified by the specialists is related to an old vulnerability tracked in the CVE-2010-2568 advisory. Its full description is the following:

Windows Shell in Microsoft Windows XP SP3, Server 2003 SP2, Vista SP1 and SP2, Server 2008 SP2 and R2, and Windows 7 allows local users or remote attackers to execute arbitrary code via a crafted (1) .LNK or (2) .PIF shortcut file, which is not properly handled during icon display in Windows Explorer, as demonstrated in the wild in July 2010, and originally reported for malware that leverages CVE-2010-2772 in Siemens WinCC SCADA systems.

Unpatched machines allow computer hackers or local users to execute arbitrary code in crafted shortcuts placed in LNK or PIF files. An important characteristic about this issue is that no user interaction is required to execute the malicious code. Upon infection through this method the engine crafts the following files:

  • %Removabledrive%\RECYCLER\S-7-1-36-6133081425-6700277004-675130086-4217\%variable1%.exe

  • %Removabledrive%\RECYCLER\S-7-1-36-6133081425-6700277004-675130086-4217\%variable2%.cpl

  • %Removabledrive%\%autorun.inf

  • %removabledrive%\Copy of Shortcut to (1).lnk

  • %removabledrive%\Copy of Shortcut to (2).lnk

  • %removabledrive%\Copy of Shortcut to (3).lnk

  • %removabledrive%\Copy of Shortcut to (4).lnk

A variable string is inserted in the place of the %variable1-2% fields.

Europol Actions Against The Ramnit Trojan Botnet

In February 2015 Europol in coordination with several countries shut down a dangerous botnet network that was by computer hackers to spread various types of malware including the Ramnit Trojan. According to the reports more than 3 million computers worldwide were infected by the attack network. The operation in question involved investigation in the United Kingdom, Germany, The Netherlands and Italy done by both government agencies and private companies such as Symantec and Microsoft. The security specialists were able to locate the malicious servers and redirection sites. According to the research the network has been operational for at least five years.

At the moment the most infected countries are Cameroon, Bangladesh and The Philippines. To this date six different variants of the Ramnit Trojan have been identified by the researchers. The first versions of the malware were detected in the summer of 2010 and only a few months later the virus peaked in infections – reaching 2.25% of the global infection ratio. Since then large-scale campaigns and improvements have been made to the virus engine. The infrastructure allowed the computer hackers to gain remote control access to the victim computers, steal sensitive account credentials and all user data.

Ramnit Trojan Strain Modifications

Depending on the strains that users can encounter in the different versions released so far they may spot major or minor differences. It is suspected that a large hacker collective is behind the many evolutions of the Ramnit trojan. Through its several major iterations the security analysts have seen how its development progressed along the trends – from a typical Trojan sample it has grown into a sophisticated malware used in large-scale campaigns. Some of the identified viruses deviate from the ongoing campaign by using different infection methods and behavior patterns. Here are some examples of various Ramnit Trojan strain activity:

  • Masquerading as common applicationsIn the first stage of infection the malware sample can copy itself to various system locations posing as ordinary applications such as desktoplayer.exe or calculator.exe.

  • API Hookup – The engine hooks to several API used by the operating system to achieve a persistent state of execution.

  • Infection of Other File Types – Older versions of the Ramnit Trojan infect various documents and files that are commonly used by the user.

  • Network Propagation – Various strains associated with the Ramnit malware family have the ability to spread over the internal network.

  • DGA Domain Generation – Some of the identified strains have used a domain generation algorithm to create the C&C addresses.

  • Modular Design – Older versions of the Ramnit Trojan feature only a base engine which downloads its other components from the remote servers.

  • System Information Harvesting – Detailed information about the victim computers is gathered and sent to the hackers. This includes the name of the host, running processes, installed applications, hardware details, serial number of the individual components and build of the operating system.

  • Stealth Protection – The virus engine is able to stop the installed anti-virus solutions and bypass their real-time engines. Only quality anti-spyware products can remove the threat efficiently and prevent infections.

  • Modification Of Installed Applications – The engine can also modify the behavior and settings of FTP clients, remote control clients and multimedia players.

  • Log File Generation – Some of the older versions of Ramnit generate detailed log files which are sent to the remote C&C servers.

  • User Input Simulation – A clever trick employed by some of the malware iterations simulate realistic user interaction with the computer. This is done to fool the anti-virus real time engines and other security mechanisms.

By using a quality anti-malware solution computer users can protect themselves from all types of malware and remove active infections with a few mouse clicks.

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

Author : Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.


Related Posts