Skip to main content
search
Articles

Botnet Ramnit infects over 100,000 machines in two months

By August 24, 2018#!28Thu, 28 Feb 2019 10:40:08 -0300p0828#28Thu, 28 Feb 2019 10:40:08 -0300p-10America/Sao_Paulo2828America/Sao_Paulox28 28am28am-28Thu, 28 Feb 2019 10:40:08 -0300p10America/Sao_Paulo2828America/Sao_Paulox282019Thu, 28 Feb 2019 10:40:08 -03004010402amThursday=904#!28Thu, 28 Feb 2019 10:40:08 -0300pAmerica/Sao_Paulo2#February 28th, 2019#!28Thu, 28 Feb 2019 10:40:08 -0300p0828#/28Thu, 28 Feb 2019 10:40:08 -0300p-10America/Sao_Paulo2828America/Sao_Paulox28#!28Thu, 28 Feb 2019 10:40:08 -0300pAmerica/Sao_Paulo2#No Comments

Safeway & #8211; SOC team

A new campaign involving botnet Ramnit infected more than 100,000 computers in two months and could foreshadow an even bigger cybercriminal attack.

According to Check Point Research, threat agents launched a global series of attacks as part of a code-named “Black” operation, likely starting in May.

Ramnit has been in operation since 2010 and is well known as a banking Trojan. Its use in Operation Black includes backing up infected machines and extracting information from them. Once installed, the malware provides an entry point for another botnet, Ngioweb, which can operate on both a regular back-connect proxy and relay proxy mode.

More proxies, more problems

Although Ramnit may be essentially acting as a distribution mechanism for Ngioweb, the end result may be proxy server chains. This allows threat agents to make it harder for defenders to see what kind of services they are running because they are hidden behind a bot's IP address. The larger this group of botnets become, the more readily it could be used for all kinds of harmful purposes, according to the researchers.

By publishing the victim's machine to a public channel such as Domain Name System (DNS), for example, an attacker could connect to a second infected machine through relay proxy mode. The first infected machine becomes the relay between the second machine and the host, creating a new connection and so on. The complexity of this approach not only keeps intruders' activities hidden, but also allows it to quickly become more powerful.

How to defend against Ramnit from the first stage

Because Ramnit is considered the first phase malware in Operation Black, security professionals should start there when it comes to prevention. In line with the IBM® X-Force Incident Response and Intelligence Services (IRIS) cyber attack preparedness framework, security teams must determine which users are most active on customer-facing web pages to establish a baseline of normal behavior, facilitating earlier detection of abnormalities. 

Information security directors (CISOs) and their teams should also be alert to attackers' attempts to map suspicious user webpages and sequences to close any inbound vulnerabilities. That way, the moment someone lets Ramnit in, there may still be time to stop Ngioweb from following closely.

Source: Check Point Research

Tags:

Leave a Reply

Close Menu