The Ramnit malware as one of the most dangerous banking Trojans is known for causing numerous infections worldwide. The newly discovered Black botnet has been found to be made by the same collective. Our article gives details about the threat.
Black Botnet Crafted by The Ramnit Hackers
A dangerous new threat called the Black botnet has been reported by the security community. It was found in a large-scale attack campaign that has been active for two months — the reports indicate that there are 100 000 systems. The analysts have found that the botnet uses the same C&C servers as those used in previous attacks associated with the banking Trojan. An investigation into the server shows that it has been active since at least March 6 2018. In the beginning of the attack the hackers have used a low number of infections. It appears that its main goal is to deliver a customized version of the Ramnit Trojan.
An interesting fact is that the Black botnet encrypts the traffic between the host and the server using a RC4 cipher. There are several distinct characteristics that identify it:
- Many of the collected samples use hardcoded domain names.
- The C&C servers have been found no to upload/download additional modules.
- All additional components are bundled in a single package.
- The Ramnit banking Trojan is used to deliver another malware called Ngioweb
The actual Ngioweb malware functions as a proxy server that has devised its own binary protocols with two separate layers of encryption. There are two main modes that can be used to operate the proxy. The fact that the Ngioweb samples are being packed together with the Ramnit Trojan gives the security analysts the notion that the main distribution method is through a botnet (Read more...)
*** This is a Security Bloggers Network syndicated blog from How to, Technology and PC Security Forum | SensorsTechForum.com authored by Martin Beltov. Read the original post at: https://sensorstechforum.com/ramnit-trojan-botnet-launched/