Researchers at Proofpoint have been keeping an eye on the Ramnit banking Trojan for some time now, but they first spotted the use of a particular PowerShell downloader back in May.
This new downloader is called sLoad and a newly published report by those researchers reveals it includes some rather nifty recon features. The most notable is the use of geofencing to reduce the noise associated with security researcher machines and home in on relevant banking users.
The campaigns using sLoad have also been gathering data regarding running processes on the infected system, whether Outlook or Citrix-related files are present, taking screenshots, loading external binaries and checking the DNS cache for specific domains such as the banks being targeted.
When it comes to the geofencing capability, sLoad really does not disappoint. Not only has use of this technique been a primary driver in the targeting of banks specifically in Canada, Italy and the UK but has been performed at multiple points in the infection chain.
Author of the report Chris Dawson, project threat intelligence lead at Proofpoint, told SC Media UK that while geofencing is relatively common as far as banking Trojans are concerned, "the pervasiveness of geofencing that occurs throughout the infection chain is a bit more unusual".
Dawson also said that sLoad examined the DNS cache of infected machines, "looking for evidence that the machines had been used to access online banking sites with webinjects configured in the final Ramnit payload".
The geolocation checks intrigued Jose Miguel Esparza, head of threat intelligence at Blueliv, who also said that "the case of sLoad is interesting because those geolocation checks are not just performed at once, but rather at different points in the infection chain".
It's a trend that Ed Williams, director EMEA of SpiderLabs at Trustwave, reckons will continue "and become even more advanced as the game of cat and mouse continues!"
Limiting the availability of malware downloads based on the IP of a potential victim has historically been the preserve of more advanced attacks and banking Trojans in particular, so this is worrying.
"Given the relative simplicity of implementing such a system, especially considering its frequent use by legitimate websites such as multinational shops and media outlets," said Luke Somerville, head of special investigations at Forcepoint. "It’s not overly surprising to see it used in this manner."
Equally, it's worrying that the more organised cyber-criminals are finding that targeting banking malware at specific IP ranges of target banks is oh-so effective. Chris Doman, security researcher at AlienVault, tells us that in the case of Guass (which only ran on a very limited set of machines) "as far as I'm aware, six years after the second stage payload, it still hasn't been analysed by researchers".
It's not just banking malware either that's getting clever with victim targeting. From the perspective of IoT malware and botnets, Radware has seen BrickerBot and others use fingerprinting to identify IoT devices before attacking them.
"IoT search engines such as Shodan, Censys and ZoomEye can be integrated in exploit software through REST APIs," warns Radware's EMEA security evangelist Pascal Geenes. "And instead of randomly scanning IP ranges the software only targets a list of IPs found through searching in the IoT search engine for specific criteria matching their set of vulnerabilities."
We'll leave the last word to Tod Beardsley, Rapid7's research director though. While he agrees that checking the host's source IP address is pretty clever, it also comes with a defensive upside. "People who habitually use VPNs that terminate outside of Ramnit's target space will have a happy side effect of finding themselves immune to Ramnit," Beardsley said.