Leading Ramnit banking trojan seeks to steal payment card data


Online shopping is an increasingly popular activity, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season increased nearly 9% to a record $204.5 billion. Mastercard says purchases jumped 8.5% this year from 2020 and 61.4% from pre-pandemic levels.

Cybercriminals do not miss this trend. The Ramnit Trojan, in particular, went on a shopping spree designed to take over people’s online accounts and steal their payment card data.

IBM X-Force researchers track malware activity and targeting throughout the year. They have seen a diverse collection of Ramnit configuration files over the years. Not only was Ramnit the most active banking Trojan in 2021, but this malware has also been a cybercrime tool for over a decade. It continues to target people and service providers when it’s online shopping season.

More recently, the Ramnit malware infected a long list of brands and online retailers, clearly going into holiday shopping mode. Among the top brands are travel and accommodation platforms, with Ramnit targeting people looking to get away for the holidays.

Figure 1: Top active banking Trojans in 2021

Ramnit: takeover of accounts since 2010

Ramnit performs simple but effective operations on infected devices. While other cybercrime gangs have moved on to larger corporate bounties and ransomware/extortion attacks, Ramnit continues to focus on consumers. Once resident on an infected device, it monitors browsing to target websites and enters information-stealing mode. It usually snatches login credentials, but its web injections can also trick victims into providing payment card details or other personal data.

In the current web injection analyzed by IBM X-Force, Ramnit uses an external script that is inserted into real-time web sessions from its remote server. The look and feel of the injection is identical and all injections come from the same command and control servers:



Pop-up victims see on screen when they access a compromised URL asking them to enter their payment card details. Typically, this information is used for cardless fraud, whether online or over the phone.

Figure 2: Simplistic injections are used for all targets, requesting payment card data

This injection uses the replacement of string literals and encodes them in Hex or Unicode as part of the obfuscation process. For example:

var _0x2f90 = [“”, “x64x6Fx6Ex65”, “x63x61x6Cx6Cx65x65”, “x73x63x72x69x70x74”, “x63x72x65x61x74x65x45x6Cx65x6Dx65x6Ex74”, “x74x79x70x65”, “x74x65x78x74x2Fx6Ax61x76x61x73x63x72x69x70x74”, “x73x72x63”, “x3Fx74x69x6Dx65x3D”, “x61x70x70x65x6Ex64x43x68x69x6Cx64”, “x68x65x61x64”, “x67x65x74x45x6Cx65x6Dx65x6Ex74x73x42x79x54x61x67x4Ex61x6Dx65”, “x76x65x72”, “x46x46”, “x61x64x64x45x76x65x6Ex74x4Cx69x73x74x65x6Ex65x72”, “x44x4Fx4Dx43x6Fx6Ex74x65x6Ex74x4Cx6Fx61x64x65x64”, “x72x65x61x64x79x53x74x61x74x65”, “x63x6Fx6Dx70x6Cx65x74x65”, “x6Dx73x69x65x20x36”, “x69x6Ex64x65x78x4Fx66”, “x74x6Fx4Cx6Fx77x65x72x43x61x73x65”, “x75x73x65x72x41x67x65x6Ex74”, “x49x45x36”, “x6Dx73x69x65x20x37”, “x49x45x37”, “x6Dx73x69x65x20x38”, “x49x45x38”, “x6Dx73x69x65x20x39”, “x49x45x39”, “x6Dx73x69x65x20x31x30”, “x49x45x31x30”, “x66x69x72x65x66x6Fx78”, “x4Fx54x48x45x52”, “x5Fx62x72x6Fx77x73x2Ex63x61x70”, “x67x65x74x45x6Cx65x6Dx65x6Ex74x42x79x49x64”, “x64x69x73x70x6Cx61x79”, “x73x74x79x6Cx65”, “x6Ex6Fx6Ex65”, “x68x74x6Dx6C”, “x70x6Fx73x69x74x69x6Fx6E”, “x66x69x78x65x64”, “x74x6Fx70”, “x30x70x78”, “x6Cx65x66x74”, “x77x69x64x74x68”, “x31x30x30x25”, “x68x65x69x67x68x74”, “x7Ax49x6Ex64x65x78”, “x39x39x39x39x39x39”, “x62x61x63x6Bx67x72x6Fx75x6Ex64”, “x23x46x46x46x46x46x46”];

When unobfuscated, this turns out to be:

var _0x2f90 = [“”, “done”, “callee”, “script”, “createElement”, “type”, “text/javascript”, “src”, “?time=”, “appendChild”, “head”, “getElementsByTagName”, “ver”, “FF”, “addEventListener”, “DOMContentLoaded”, “readyState”, “complete”, “msie 6”, “indexOf”, “toLowerCase”, “userAgent”, “IE6”, “msie 7”, “IE7”, “msie 8”, “IE8”, “msie 9”, “IE9”, “msie 10”, “IE10”, “firefox”, “OTHER”, “_brows.cap”, “getElementById”, “display”, “style”, “none”, “html”, “position”, “fixed”, “top”, “0px”, “left”, “width”, “100%”, “height”, “zIndex”, “999999”, “background”, “#FFFFFF”];

With these generic injections, researchers see Ramnit targeting a plethora of brands and e-commerce accounts with top retailers. Some hotel giants are also on Ramnit’s list of targets.

A prominent banking trojan for over a decade

Ramnit is a leading banking malware that has been active in the wild since 2010. Ramnit started out as a self-replicating worm, taking advantage of removable drives and network shares to spread to new endpoints. As the project evolved, Ramnit evolved into a banking Trojan.

In 2011, the developer of Ramnit apparently decided to borrow pieces of source code from the leaked Zeus v2 Trojan, effectively turning Ramnit into a banking Trojan that steals user credentials and deploys in session web injections.

Between 2011 and 2014, the Ramnit Trojan rose to prominence in the cybercrime space, ranking among the top 10 most prevalent financial malware codes. Ramnit infections were rife in North America, Europe and Australia, where its local targets included a multitude of recruitment sites, likely with the aim of recruiting mules.

Ramnit setups were usually very long and featured a fairly extensive list of online anti-malware scans, antivirus product websites, cybercrime news sites, and security blogs. This list was designed to steer victims away from security checks that would identify the infection. In some cases, the mere use of the word “cybercrime” or “police” in the URL typed by victims triggered a redirect effect to another website.

At the end of February 2015, a Europol operation, in collaboration with information security provider Symantec, attempted to dismantle the Ramnit project by taking down the botnets operated by the Ramnit gang. A few days later, another vendor (Dr. Web) published a blog post stating that the Ramnit botnet was still alive. In December 2015, IBM X-Force reported renewed Ramnit activity targeting banks and e-commerce in Canada, Australia, the United States, and Finland.

In more recent campaigns, Ramnit is delivered in booby-trapped productivity files, most often via malicious macros.

According to IBM X-Force Threat Intelligence, the Ramnit source code remains the property of the gang operating it and continues to be active as we move into 2022.

To keep up to date with malware campaigns and tactics, techniques and procedures, follow IBM X-Force research at: securityintelligence.com/category/x-force/

If your organization needs help protecting customers against banking Trojans, please visit the IBM Trusteer page: www.ibm.com/security/fraud-protection/trusteer


C2 Servers



To taste

Ramnit MD5: d194da95c851f252e496229a90353bc9


Comments are closed.