Ramnit Trojan reveals overlooked seasonal threat to the enterprise

News by Davey Winder

There is a seasonal pattern to malware attacks which is particularly clear from analysing the behaviour of the Ramnit banking Trojan, according to researchers at Check Point.

According to threat researchers at Check Point there has been a resurgence in attacks driven by the Ramnit banking Trojan, a seasonal trend for banking Trojans that Check Point has noted for the second year running.

In the case of Ramnit, it has doubled its global impact during the summer, pushing the Trojan into sixth place in the Global Threat Index. More than 100,000 infections were spotted at the start of the summer.

Ramnit mainly operates by turning victim machines into malicious proxy servers. Dubbed the black campaign, courtesy of the RC4 key value (black) being used for traffic encryption by the botnet, the dangers of seasonality across the threat landscape have been exposed by Ramnit.

The Trojan itself is nothing new, of course, and dates back to 2015. In March this year Check Point researchers noticed some activity, but the very low capacity of the black botnet didn't create much cause for concern. From May to July, however, capacity and campaign infection rates spiked and then some.

So, why might the summer be such a productive season for the criminals behind such campaigns? "If you were to speculate, you might presume that criminal hackers may be younger than average, teenage to university age with time on their hands while school is out," Corey Nachreiner, CTO at WatchGuard Technologies told SC Media UK. "However, our data has not shown Ramnit to surface more in the summer and even if we did, it would be hard to empirically say why without more data."

The notion of seasonal malware campaigns isn't as ludicrous as it may at first sound, though, according to Ed Williams, director EMEA of SpiderLabs at Trustwave. Think in terms of staff taking holidays and then forwarding emails to colleagues who may not be as aware of a particular job role. Plus, consider that phishing campaigns are increasingly well researched and targeted, he said.

"Returning from holiday may lead to overflowing mailboxes and a slew of unread emails," Williams told SC. "In a rush to clear their mailbox, maybe that normal rigour is replaced with haste and that 'urgent' email is opened..."

Assuming that there are real seasonal threat variations, can these impact upon the enterprise in terms of both the threat risk to them and their mitigation strategy then?

It may sound like a daft question, but Paul McEvatt, senior cyber threat intelligence manager at Fujitsu, doesn't think it's a red herring and said that "there is value in correlating these campaigns across customers, and Fujitsu’s own threat intelligence and analysis supports this."

The largest campaigns Fujitsu observed in July were sent on Friday’s and often six hours ahead of the UK with campaigns being delivered to UK customers prior to them arriving for work. "Potential reasons are a reduction in network defenders due to annual leave," McEvatt said, "and perhaps a more relaxed attitude of staff on Friday as they head into the weekend."

Sam Curry, chief security officer at Cybereason, agrees that seasonal variations impact on the enterprise just as they do in our private lives, perhaps more so for some verticals while very little for others. "From retail IT freezes in November and December to finance sensitivity at tax time," Curry said, "there are geographic, industry and size-related idiosyncrasies that cause enterprises to behave differently and expose different weaknesses."

By way of example, he points towards DDoS and ransomware attacks which are particularly damaging to retail enterprises from Black Friday and Cyber Monday through the first day of January. "A demand for ransom in this window has a much higher chance of being paid," Curry concludes.

Corey Nachreiner doesn't think it's a daft question, either, telling SC that "there are certain types of threats that are strongly correlated to seasonal events." For instance, WatchGuard clearly sees an increase in certain types of phishing during strong retail sale periods. "On one hand, you are right," Nachreiner adds, "the defences for these phishing emails don’t change a lot: however, it is still important to be more on the lookout for them during that season."

The best mitigation for seasonal threat variations is the same for any other though – a layered approach towards security that covers all potential attack vectors.

"Security is something that‘s to be enforced equally against all potential attack vectors," insists Liviu Arsene, senior e-threat analyst at Bitdefender. "Protecting against banking Trojans should be given the same seriousness as protecting against advanced persistent threats."

It is a point reinforced by Tim Helming, director of product management at DomainTools, who told SC Media UK, "A security posture needs to be as strong as the organisation can make it, 24/7/365. So it's more a matter of making sure that, during holiday-heavy months, the security functions are adequately covered and the SOC is run at full capability at all times."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews