Ramnit is a banking trojan that was first discovered in 2010. It is one of the top 5 banking trojans worldwide but is especially prevalent in the APAC region as the third most common malware and second most common banking trojan, according to Check Point’s 2023 Cyber Security Report.
Ramnit is a banking trojan, meaning that it is primarily intended to steal account credentials for online banking. However, like many banking trojans, Ramnit is designed to be highly modular, enabling it to collect additional types of credentials such as those for social media, email, and other accounts or to download and deploy other malware.
Ramnit is often spread via phishing campaigns that may deploy multi-stage malware. Once the target falls for the initial phishing campaign and runs the malware, it downloads and executes additional malware that eventually launches the Ramnit trojan. Ramnit will then attempt to collect banking credentials and may download additional Ramnit modules or other malware to achieve the attacker’s goals.
One of the distinguishing features of the Ramnit malware is the use of both hardcoded domains and a domain generation algorithm (DGA) for command and control. Malware using a DGA generates a sequence of random-looking domains to which it sends command and control traffic. The attacker’s command and control server runs the same DGA and registers these domains, directing the traffic to the attacker-controlled system. By using a DGA, the malware can avoid DNS blocklists because it is constantly using new, unblocked domains for its traffic.
Since Ramnit is a modular banking trojan, the primary threat of the malware is the loss of an individual’s login credentials for online banking, which may result in the theft of funds or the user’s identity.
However, the Ramnit malware also can deploy additional modules or be used as a delivery vector for other malware variants. This means that the impact of a Ramnit infection depends on the details of the attack campaign and the malicious functionality that is successfully executed on the infected device.
Ramnit is primarily a banking trojan, meaning that its purpose is to steal login credentials for online banking, which cybercriminals can sell or use in future attacks. For this reason, Ramnit primarily targets individuals rather than focusing on particular industries.
Ramnit campaigns have been observed to target organizations in particular industries. For example, a 2019 campaign targeted financial organizations in the United Kingdom, Italy, and Canada.
Some best practices for protecting against the Ramnit banking trojan include:
Ramnit is one of the leading banking trojans and a common malware variant, especially in the APAC region. However, it is only one of several cybersecurity threats that companies face. For more information about the leading malware threats and the current cyber threat landscape, check out Check Point’s 2023 Cyber Security Report.
Check Point Harmony Endpoint offers comprehensive threat prevention and detection for Ramnit, other malware, and various threats to the security of an organization’s endpoints. For more information about Harmony Endpoint and to learn how it can help to enhance your organization’s malware threat prevention capabilities, sign up for a free demo today.