Ramnit, a banking trojan whose botnet survived a takedown attempt in 2015, is continuing its comeback in 2017, after coming back to life at the end of 2015 and regaining its strength over the course of 2016.
The history of Ramnit started in 2010 when the trojan was first detected, being only a mere worm that helped spread other, more sophisticated threats.
In spite of its humble beginning, it was in 2011 when Ramnit became a banking trojan after its creators took advantage of the recently leaked Zeus banking trojan source code to improve their own malware.
Beyond this point, Ramnit quickly established itself as one of the Top 5 banking trojans on the market, and security firms estimated that over the period of three-four years, the trojan infected a total of oer 3.2 million users.
Ramnit's success didn't go unnoticed, and in February 2015, Europol with the help of several law enforcement agencies, ISPs, and security firms, took down a large number of command and control servers used by the trojan's botnet.
Unfortunately, the takedown attempt wasn't perfect, and some of Ramnit's infrastructure survived, while authorities never managed to arrest its creators.
The first signs that Ramnit was making a comeback came to light nine months later, in November and December 2015, when Threatglass and IBM detected new Ramnit infections targeting Canadian, Australian, US, and Finnish banks.
By August 2016, Ramnit made a complete comeback, even putting out a completely revamped version that focused mainly on UK banks, and which security researchers started referring to as Ramnit v2.
The graph below, courtesy of Trend Micro, shows Ramnit's evolution in the past two years, including a spike of activity in May 2016, caused by a campaign that used the Angler exploit kit to deliver another Ramnit variant.
But don't be fooled by the above chart. The dip in activity detected in December 2016 can be attributed to the holiday season, a time of year when even malware authors take a break.
According to independent security researcher MalwareTech, Ramnit activity has come back to life after the holidays, and continued to grow, based on a chart he shared with Bleeping Computer.
"Ramnit continued to grow for a couple of days after the initial spike then settled around 5,500 bots online per day," the researcher told Bleeping Computer, citing data he gathered via his custom botnet tracker, which is an infrastructure that picks up communications between infected hosts and sinkholed Ramnit C&C servers.
According to the researcher, during the past month, the Ramnit crew focused mainly on US targets.
Seems like the US has a bad case of Ramnits pic.twitter.com/oY7vwPhPwe— MalwareTech (@MalwareTechBlog) February 8, 2017
The researcher's observations are also confirmed via statistics from IBM X-Force which show that Ramnit has slowly crawled its way back into the Top 10 most active banking trojans chart, being ranked #5 in January 2017, just behind infamous banking trojan such as Zeus, Neverquest, Gozi, and Dridex.
End users and organizations need to keep an eye out for this ever-evolving threat that currently can target the customers of several banks across the globe, but can also search, extract, and steal credentials from applications such as FTP clients, email clients, and browsers.