New Ramnit Campaign Spreads Azorult Malware
Research by: Nikita Fokin and Alexey Bukhteyev
This summer we wrote about the Ramnit malware and its underlying “Black” botnet campaign which was used for distributing proxy malware. Much to our surprise, the C&C servers of the “Black” botnet were shut down shortly after our publication. However, in less than a month a new Ramnit campaign emerged in the wild, this time distributing malware used mainly for stealing sensitive data via web-injects. Additionally, we now witness the Ramnit actors cooperate with other cyber criminals by using their services to empower the malware’s capabilities on the one hand, and providing them with distribution capabilities on the other.
Since September 1, 2018 we have discovered three new Ramnit botnets with five different C&C servers. They were targeting customers of Canadian, Japanese, USA, and Italian banks as well as retail customers. Moreover, it turned out that the threat actors behind the malware were interested in PornHub users:
Figure 1: Ramnit web-injects
The table below shows the discovered botnets and a list of their targets:
|client||18.104.22.168||Pornhub, Amazon, Yahoo, Japanese banks, Canadian banks|
|client||22.214.171.124||USA: AT&T, EBay, JPMorgan Chase, USAA, Sam’s club, PayPal, Walmart, Newegg, Costco, Best Buy, Amazon, Apple|
|client||126.96.36.199||Testing (just launched)|
|client-2||188.8.131.52||USA: Key Bank, Walmart, Newegg, Costco, Best Buy, Amazon, Apple|
Figure 2: Ramnit botnets and targets
As opposed to previous campaigns, the current one does not appear as aggressive – there was a total of only ~16 000 PCs infected within the month we were observing the campaign’s activity. The main infection vector is the Rig and GrandSoft Exploit Kits, as well as a distribution using the Azorult malware.
Figure 3: Ramnit botnets prevalence (September 2018)
A noteworthy detail about some of the Ramnit samples involved in this campaign is that they came with a valid digital signature, which is somewhat unusual for common crimeware:
Figure 4: Digital signature of Ramnit samples
A turning event of the campaign took place on September 24, when we noticed new activity, whereby one of the botnets, named “client”, started uploading another malware to infected PCs. The attempt of deploying this malware failed due to erroneous unpacking of the uploaded samples. In light of this, a second wave of malware upload was witnessed on September 27, this time successfully deploying a third party payload. In order to download and run this payload, Ramnit infected machines had to carry out the “getexec” command of the malware’s protocol:
Figure 5: Ramnit command to download and run another malware
In contrast to the “Black” botnet, where the internal protocol was used for deploying another malware from the same C&C server, in current campaign HTTP protocol was used and payload was placed to another server which turned out to be a shared web-hosting:
The payload distributed by Ramnit in this latest wave was identified as Azorult, and has the following C&C domain:
While we were monitoring the aforementioned URL we found out that samples it provided were updated every several hours, as specified below:
Figure 6: Azorult samples distributed by Ramnit at 28.09.2018
This was interrupted on October 1, when this URL became unavailable, instead replaced by another one which dropped a new stream of Azorult:
Figure 7: Ramnit command to download and run another malware
This new download URL also pointed to a Russian shared hosting of the very same provider we had witnessed before.
Ramnit C&C Servers
There are currently five active C&C servers in this campaign:
|Domain||Registered||C&C IP Address||Botnet||Bots|
Figure 8: Ramnit domains and C&C servers
At this point in time, Ramnit uploads a series of standard plugins to the infected PCs. They come with the following names:
- “Cookie Grabber v0.3 (IE Export)”
- “IE & Chrome & FF injector”
- “VNC (23 port) x64-x86”
- “Antivirus Trusted Module v2.0 (AVG, Avast, Nod32, Norton, Bitdefender)”
The Ramnit’s C&C servers started to distribute the following additional plugins on September 28:
- “Pony based pwd stealer”
- “FF&Chrome reinstall x64-x86 [silent]”
We noticed that much like in the case of a previous Ramnit botnet named “demetra”, the threat actors behind the current campaign use VPS services in ex-USSR countries, mostly Russia. The chosen hosting providers are the ones that don’t require identity verification and allow anonymous payment for the granted services.
|goldenfreeanhfirst.com||184.108.40.206||1st VDS (firstvds.ru)||Russia|
Figure 9: Ramnit C&C servers’ location
The gates that are used for collecting the stolen data via web-injects are located on another set of servers. The following gate URLs were extracted from the web-injects we had obtained:
While exploring these URLs we can observe the following panels:
Figure 10: Full Info Grabber login form
The web-injects used in this campaign employ a third-party solution to capture user credentials and account information. We identified these panels as part of the Yummba web injects service, also known as Full Info Grabber.
This service provides off-the-shelf tools that allow attackers to insert custom elements into a web page, providing a variety of public injects for a large list of countries as well as privately developed injects. Looking for details about this service, we were able to track its advertisements on the Russian forum exploit.in, dating back to 2013:
Figure 11: Yummba web injects advertisement
Web injects and panels used in this campaign could also be utilized by other malware. In fact, kioxixu[.]abkhazia[.]su was seen previously in an Osiris/Kronos Japan campaign as a web-inject C&C.
Figure 12: Osiris and Ramnit web-injects gates
As opposed to what we observed in the past, Ramnit is not a standalone botnet nowadays. Instead, it is closely tied with cyber-crime services, creating a mutual ecosystem for operation. To gain additional profit Ramnit actors provide an ability to install other malware on infected machines. At the same time, they use third-party services to empower malware with web-injects (Full Info Grabber / Yummba) as well as using exploit kits and other botnets for spreading Ramnit malware (RIG EK, GrandSoft EK, Azorult).
Azorult Download URLS:
Full Info Grabber gates:
Pony stealer gate:
TE protection – Trojan.Win.Ramnit.B