Threat Analysis Unit (TAU) Threat Intelligence Notification: Ramnit Banking Trojan

Ramnit Banking Trojan was first discovered in 2010 and is still evolving and staying actively as the second rank on the top banking trojan list in October 2019 as from the source post. It may be distributing via malvertising, exploit kit, spear-phishing campaign or others method to infect on the victim’s machines.

                                                                                       Figure1: Ramnit overall process

This post serves to inform our customers about detection and protection capabilities within the Carbon Black suite of products against Ramnit.

Behavioral Summary

Upon execution of Ramnit, it will create copies of itself, randomly renamed and store under %WINDIR% (C:\Windows) or %ProgramsFiles% directory, for example “%ProgramFiles%\Microsoft\desktoplayer.exe”.

It may also create additional payload by adding ‘srv’ at the end of the original filename, for example “[malware filename]srv.exe”.

In addition, it will create the following registry key to ensure it will execute on the startup: Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit Value: c:\windows\system32\userinit.exe, %ProgramFiles%\Microsoft\desktoplayer.exe

Ramnit will need to connect to command and control (C&C) server then collect and upload sensitive information such as browser cookies, bank credentials, FTP credentials, and more data based on the requested modules which will be downloaded as .dll from C&C server. In addition, depending on the instruction from C&C server, it may download additional malicious payload to the victim’s computer and perform additional malicious activities. Ramnit will inject the malicious DLL modules into the context of legitimate system processes such as svchost.exe or web browser processes such as iexplore.exe (Shown in figure 4).

Figure 2: One of the Ramnit modules collecting cookies from IE, Firefox, Chrome, Opera, Safari

Figure 3: Ramnit will disable security software/services by modifying their registry key.

The identified Ramnit modules may refer to the following table: (Reference here

The following screenshot is of CB Threat Hunter process chart and part of the event logs by Ramnit.

Figure 4: CB Threat Hunter Process Chart

rt6.png

Figure 5: CB Threat Hunter Event Log

Other than that, CB Defense will display the malware’s overall triggered TTPs.

If you are a VMware Carbon Black customer looking to learn more on how to defend against this attack, click here. 

Remediation:

MITRE ATT&CK TIDs

TID Tactic Description
T1045 Defense Evasion Software Packing
T1027 Defense Evasion Obfuscated Files or Information
T1143 Defense Evasion Hidden Window
T1071 Command and Control Standard Application Layer Protocol
T1057 Discovery Process Discovery
T1050 Privilege Escalation, Persistence New Service
T1058 Privilege Escalation, Persistence Service Registry Permissions Weakness
T1112 Defense Evasion Modify Registry

Indicators of Compromise (IOCs)

Indicator

Type

Context

f755edae579734f5960a7ac331b3df4e6aae3e6e340e5fbe9aeb89ed2694726a

bd19c8496017c962b9cd8508346e3878

SHA256

MD5

Ramnit (Main Installer)

fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

ff5e1f27193ce51eec318714ef038bef

SHA256

MD5

Ramnit (UPX Packed)

876C5CEA11BBBCBE4089A3D0E8F95244CF855D3668E9BF06A97D8E20C1FF237C

44e92c4b5f440b756f8fb0c9eeb460b2

SHA256

MD5

Ramnit (Unpacked)

4742490b011ca40fec59604bad953d32eae08512c513166f2cbd652f7fd6d2cb

ed362f56ad7cd9d5c4e2415436c1c129

SHA256

MD5

Ramnit (DLL)

160726b05e49f6f86983b2d945f7d691d1d9797078e4b7da4c0d7d7cba95c1d7

606215cf65fab017cff76463402a15e2

SHA256

MD5

Ramnit (DLL)

 

The post Threat Analysis Unit (TAU) Threat Intelligence Notification: Ramnit Banking Trojan appeared first on VMware Carbon Black.

Article Link: https://www.carbonblack.com/2019/11/18/threat-analysis-unit-tau-threat-intelligence-notification-ramnit-banking-trojan/