A bank’s mission statement is deeply rooted in trust in order to establish strong customer loyalty. In times of change, trust is not sufficient. A bank’s success depends on a combination of technological innovation, experience and financial strength.
Almost every bank is forced to provide a full suite of online banking tools to keep ahead of the competition and make their interactions with customers simpler, easier and more accessible.
Of course, this brings risk, mainly the threat of cyber attacks to deny the bank’s services. In fact, banks are one of the three most targeted organizations globally.
As a result, a bank not only needs to innovate its offering, but also continuously improve its online security.
In recent days, CyberInt Research Lab has discovered a re-emerging phishing campaign that delivers the Ramnit Worm malware targeting financial organizations in the Philippines. The initial infection vector is a phishing email that contains an embedded malware and a link to a malicious phishing site.
Ramnit Attack Details
The attack consists of two components. First of all, the adversary attempts to convince employees to “verify” their sensitive data by claiming this email is part of an anti-fraud endeavor the company conducts. The email refers to a normal looking URL that hosts the adversary.
Next, a malicious file is downloaded from the email’s body to the victim’s machine and is executed. The malware is capable of spreading to any removable device which enables it to spread without much effort to other devices. Besides that, the malware creates persistence mechanisms, generates traffic to malicious C2 channels, and possess various other capabilities such as anti-analysis, data exfiltration and spreading mechanisms.
The malicious file will trigger a very common looking alert asking to ‘Allow Blocked Content’ which is almost default for emails containing embedded files or images. By approving this alert, the worm gains access to the file system enabling him to create the needed files.
The malware is persistent, which means that it remains on the target machine after rebooting. Persistent malware is developed to be executed after the target computer restarts. Mostly, bootkits are used to achieve this kind of persistence by inserting itself into the Windows startup procedure. A bootkit is capable of modifying the instructions encoded in the Master Boot Record (MBR) of a Windows machine to allow the worm to operate.
2. C2 Channels
When executing the malicious file, it spawns two instances of the default browser on the system in the background. Malware that is not capable of communicating with an external server is not very effective. Therefore, this worm uses a domain generation algorithm (DGA) in order to receive instructions or transfer sensitive data. DGA is utterly important as a network administrator can easily block the traffic flow for a specific domain. Yet, with DGA, blacklisting domains in order prevent data leakage is much harder.
Nowadays, it’s almost impossible to not use virtual machine technology. It’s a convenient way of running multiple instances of an OS image on the same hardware which makes it cost-efficient. Virtualization technology also allows administrators to quickly scan the different machines for any malware. Nonetheless, malware has become more sophisticated and can easily outwit VM-based sandboxes. In our case, the Ramnit worm can change its behavior when it’s being analyzed by threat detection software in order to not ring any alarms.
Ramnit - Key Characteristics
The Ramnit executable hosts the following capabilities when it’s able to execute two browser connections via Internet Explorer:
- Spreading via removable devices (autorun.inf).
- Creating a backdoor for the C2 server in combination with DGA.
- Set up an FTP server on the infected host that supports 28 commands like USER, PASS, CWD, MKD, LIST, etc.
- Infects .htm, .html, .exe, and .dll files with the malicious code so it can spread further.
The Ramnit worm can become a very persistent and fast-spreading worm that can affect their targets, in this case - banks. Therefore, it’s important to properly scan emails and attachments before opening or viewing its content. Aside from that, check the destination of a hyperlink before browsing it.
Want to know more on the most effective way to detect and respond to threats?