Security researchers at Checkpoint security have spotted a massive proxy botnet, tracked as ‘Black’ botnet, that could be the sign of a wider ongoing operation involving the Ramnit operators.
Ramnit is one of the most popular banking malware families in existence today, it was first spotted in 2010 as a worm, in 2011, its authors improved it starting from the leaked Zeus source code turning the malware into a banking Trojan. In 2014 it reached the pinnacle of success, becoming the fourth largest botnet in the world.
In 2015, Europol partnering with several private technology firms announced the takedown of the Ramnit C2 infrastructure.
A few months later Ramnit was back, the researchers at IBM security discovered a new variant of the popular Ramnit Trojan.
Recently the experts observed that the “Black” botnet campaign has infected up 100,000 systems in two months, and this is just the tip of the iceberg because according to researchers a second-stage malware called Ngioweb is already spreading.
There is the concrete risk that Ramnit operators are using the two malware to build a large, multi-purpose proxy botnet that could be used for many fraudulent activities (i.e. DDoS attacks, ransomware-based campaigns, cryptocurrency mining campaigns).
“Recently we discovered the Ramnit C&C server (188.8.131.52) which is not related to the previously most prevalent botnet “demetra”. According to domain names which are resolved to the IP address of this C&C server, it pretends to control even old bots, first seen back in 2015. We named this botnet “Black” due to the RC4 key value, “black”, that is used for traffic encryption in this botnet.” reads the analysis published by Checkpoint security.
“This C&C server has actually been active since 6th March 2018 but didn’t attract attention because of the low capacity of the “black” botnet at that time. However, in May-July 2018 we detected a new Ramnit campaign with around 100,000 computers infected.”
According to the experts, in the Black operation, the Ramnit malware is distributed via spam campaigns. The malicious code works as a first-stage malware and it is used to deliver a second-stage malware dubbed Ngioweb.
“Ngioweb represents a multifunctional proxy server which uses its own binary protocol with two layers of encryption,” continues the analysis published by Checkpoint.
“The proxy malware supports back-connect mode, relay mode, IPv4, IPv6 protocols, TCP and UDP transports, with first samples seen in the second half of 2017.”
Ngioweb leverages a two-stage C&C infrastructure, the STAGE-0 C&C server informs the malware about the STAGE-1 C&C server while the unencrypted HTTP connection is used for this purpose. The second STAGE-1 C&C server is used for controlling malware via an encrypted connection.
The Ngioweb malware can operate in two main modes, the Regular back-connect proxy, and the Relay proxy mode.
In a relay proxy mode, the malware allows operators to build chains of proxies and hide their services behind the IP address of a bot.
The following sequence of actions is used for building a hidden service using the Ngioweb botnet:
- Ngioweb Bot-A connects to C&C STAGE-0 and receives command to connect to the server C&C STAGE-1 with address X:6666.
- Ngioweb Bot-A connects to C&C STAGE-1 (Server-X) at X:6666. Server-X asks the bot to start the TCP server. Ngioweb bot reports on starting TCP server with IP address and port.
- Malware actor publishes the address of the Bot-A in DNS (or using any other public channel).
- Another malware Bot-B resolves the address of Bot-A using DNS (or using any other public channel).
- Bot-B connects to Bot-A.
- Bot-A creates new connection to Server-X and works as relay between Server-X and Bot-B.
Further details, including the IoC, are reported in the analysis published by Checkpoint.