Last month Microsoft discussed Ramnit, and noted that, “in the recent update Ramnit has replaced the Zbot [Zeus] hook module with its own developed hook module. By doing this, Ramnit finally has its own bank stealth module which can be updated by itself and does not rely on Zbot updates anymore.” It added, “Ramnit is a frequently updated threat which gets updated by its developer every day.”
These two observations are borne out today by a new alert from Trusteer, whose security team “recently analyzed a Ramnit variant that is targeting a UK bank with a clever one-time password (OTP) scam.” It is, suggests Etay Maor, fraud prevention solutions manager at Trusteer, the outcome of the continuing battle between attackers and defenders, with attackers being forced to develop increasingly sophisticated social engineering techniques. “Some malware variants go as far as creating custom, localized pages that are generated based on the victim’s language preference. After all, you wouldn’t want a victim who accesses the Spanish version of an eCommerce site to see an English version, would you?”
The latest update to Ramnit combines its own new fraud capabilities with the new attention to detail noted by Maor. In this version, the malware stays idle until the victim has successfully logged into his or her bank account. It then injects either a page informing the user that he needs to “configure [his] OTP Service Phone Number,” or an alternative page requesting the user to set up “a new transfer-processing system for your personal internet banking.” It involves a ‘temporary receiver number’.
While this is displayed and the victim is reading, Ramnit connects to its C&C server and obtains the details of a designated money mule. The user then receives a one time passcode from the bank, and a temporary receiver number from Ramnit. The latter, however, is the account number of the designated money mule obtained from the C&C server. So when the user enters both, he is unknowingly authorizing a hidden money transfer to the mule’s account.
But, says Maor, the story doesn’t end there. The fraudsters need time to get the money safely hidden, and consequently need to allay any suspicions from the user. “Anticipating that some suspicious users may reference the bank’s FAQ page,” he says, “Ramnit authors took the extra step of altering the FAQ section to fit the new process.” So if the victim gets concerned and checks the bank’s FAQ for reassurance, Ramnit injects a slightly altered response. The genuine FAQ talks about the use of OTP for a ‘transaction’. This would raise suspicions since the user has not performed or is not performing, to his knowledge, a transaction. What he sees from the FAQ, however, is reference to an ‘operation’ – which he has just performed, or now will perform. In fact, the word ‘transaction’ is changed to ‘operation’ throughout the FAQ.
“By changing multiple entries in the FAQ section Ramnit demonstrates that its authors did not leave anything to chance – even if the victim decides to go the extra step, Ramnit is already there.” Just another example of the criminals going the extra mile in their social engineering.