Ramnit Changes Shape with Widespread Black Botnet

The recently uncovered “Black” botnet campaign using the Ramnit malware racked up 100,000 infections in the two months through July– but the offensive could just be a precursor to a much larger attack coming down the pike, according to researchers, thanks to a second-stage malware called Ngioweb.

Check Point Research said that the actors behind the Black botnet are mainly working on creating a network of malicious proxy servers; infected machines that together operate as a high-centralized botnet, “though its architecture implies division into independent botnets.”

In the Black operation, Ramnit malware, which is likely being distributed via spam campaigns, according to Check Point, is merely a first-stage malware. Ramnit has extensive information exfiltration capabilities stemming from its heritage as a banking trojan; but it also backdoors infected machines. In this case, it sets up a path for a malware called Ngioweb, marking a new chapter for the venerable old code, first seen in 2010.

“Ngioweb represents a multifunctional proxy server which uses its own binary protocol with two layers of encryption,” Check Point researchers explained in an analysis of the campaign posted on Sunday. “The proxy malware supports back-connect mode, relay mode, IPv4, IPv6 protocols, TCP and UDP transports, with first samples seen in the second half of 2017.”

The concern is that between the two malwares, the operators are building a large, multi-purpose proxy botnet that could be marshalled into action for any number of nefarious purposes, from spreading cryptomining, ransomware or other malware to DDoS and information exfiltration.

“This massive new campaign may actually be used for many things, but our current belief is that this is just the tip of the iceberg and this is a warning sign of a bigger operation that the Ramnit operators are cooking for us,” said the researchers.

Ngioweb can operate as both a regular back-connect proxy and a relay proxy.

In its former guise, it can offer a remote user a connection to the infected host, or it can access internal resources on the infected machine’s local network.

As a relay proxy, it ups the firepower of the operation by allowing the perpetrators to build chains of proxies, thus making it difficult to trace their activities. It’s a perfect cover for creating nefarious hidden services that can’t be tracked down.

To build a hidden service using the Ngioweb botnet, the malware actor first publishes the address of a victim machine in a public channel like DNS; a second victim machine then resolves the address of the first one, thus connecting to it. The first infected machine then creates new connection to the server, and works as relay between that server and the second infected host. This can go on ad infinitum, with complex daily chains spiraling out from the command and control server (C2).

“According to domain names which are resolved to the IP address of the [Black C2 server], it pretends to control even old bots, first seen back in 2015,” researchers said. “The architecture of the botnet does not allow for determining if the address provided by [C2 for the malware to connect to] belongs to the attacker or simply to another bot.

Interestingly, Ngioweb uses two-stage C2 infrastructure; an unencrypted HTTP connection hooks the malware up with the mother ship by informing it that it’s ready to go; from there, an encrypted channel is used for controlling the malware.

Also of note, the C2 server does not upload additional modules; instead, some (like FTPServer and WebInjects) are embedded within one package with Ramnit, according to Check Point

The Black botnet is yet another evolution of the Ramnit trojan. It emerged in 2010 in the more simplistic form of a self-replicating worm. But in 2011 Ramnit made use of the leak of the Zeus banking trojan’s source code to morph into a banking trojan.

Originally used to steal banking credentials, it over the years widened its focus to include lifting passwords for social networking accounts, FTP log-ins and more. Meanwhile, its authors enhanced not only the evasion techniques protecting the malware, but also management of bots, such as encryption routines that would not set off triggers in security software. It even added mule recruitment to the mix.

Ramnit soon became a favorite among thieves dabbling in financial fraud because of the frequent updates, and by 2015 had infected more than 3.2 million Windows computers.

Unsurprisingly, it attracted the scrutiny of law enforcement, and in 2015 Europol and several private technology companies announced the takedown of the C2 infrastructure supporting the Ramnit botnet. The defenders redirected traffic from 300 domains used by Ramnit to domains controlled by authorities.

The celebration didn’t last long. Ramnit was back by 2016. IBM X-Force researchers reported that the Ramnit trojan had relaunched, targeting customers of six major banks in the U.K. Ramnit’s operators had set up two new live attack servers and a new C2 server, and were essentially back in business, using the same internal payload, architecture and encryption algorithms, according to IBM.

It was, however, updated with a spy module, “designed to hook the browser, monitoring URL access, enabling data theft in real time and displaying webinjections to the victims,” IBM noted. It also had new attack schemes built for real-time fraud attacks targeting online banking sessions.