METHOD – The Ramnit Trojan Family Evolution Within the “Black” Botnet Campaign

Researchers at Check Point warned a much larger attack could follow the so-called “Black” botnet campaign. This campaign was uncovered between May-July 2018 and used the Ramnit Trojan to create a network of malicious proxy servers operating as a high-centralized botnet or as independent botnets. To date, over 100,000 computers have been infected, researchers said.

Ramnit was first seen in 2011 as one of the most prominent banking malware with extensive information exfiltration capabilities, which targeted industries and banks in North America and the UK throughout 2015 and 2016. Additional Ramnit’s features also include modules such as FTPServer and WebInjects embedded in the malware package and the capability of backdooring infected machines. According to Check Point, Ramnit recently proved to be in fact merely a first-stage compromise, likely distributed via spam campaigns and employed as a loader for a second infection – the Ngioweb malware.

Originally seen in the second half of 2017, Ngioweb is reported as a multifunctional proxy server using two layers of encryption and supporting back-connect mode, relay mode, IPv4, IPv6 protocols, TCP and UDP transports. After analyzing the malware functionality, Check Point researchers identified two stages of C2 infrastructure used. Meanwhile STAGE -0 C2 server informs the malware is ready to go over an unencrypted HTTP connection, STAGE -1 C2 server later controls the malware via an encrypted channel. In addition, Ngioweb has a dual operational mode, working as both a regular back-connect proxy and a relay proxy. The first allows to access remote service on behalf of an infected host or internal resources in the local network of an infected host, whereas the latter – most powerful – allows the attackers to build chains of proxies, making their services barely traceable. Concerns are that between the two pieces of malicious code, the operators behind the campaign are attempting to build an extended, multi-purpose proxy botnet possibly used to launch further attacks.

Proficio Threat Intelligence Recommendations:

  • Consider educating users on the best practice for email security, especially if the source looks suspicious. In addition, network administrators should also consider implementing an effective anti-spam strategy within their organization.
  • Assess adding the IOCs provided in the Check Point analysis to preventative endpoint security controls.
  • Ensure endpoint security controls are maintained and up-to-date for a higher detection rates.

General Information – Click Here

Recent Blog Posts

Stay Ahead of Evolving Threats

Signup for our free newsletter and receive invaluable threat notifications from our Threat Intelligence team.

By submitting this form, you agree to the Proficio Website Terms of Use and the Proficio Privacy Policy.


Experience Tomorrow’s
Security Today

Request a Demo and Experience Proficio's
Innovative Solutions in Action.

By submitting this form, you agree to the Proficio Website Terms of Use and the Proficio Privacy Policy.