Threat Research

Undercovering drIBAN fraud operations 2 | Cleafy Labs

Securonix

Chapter 2 continues the Ramnit/drIBAN investigation, detailing how sLoad and Ramnit are connected and how MiTB attacks and injection kits are delivered. It covers Ramnit’s capabilities, the Lua-coded web inject kit, DGA-based C2, persistence, and anti-analysis measures used by the operators. #Ramnit #drIBAN #sLoad #PowerSploit #Zeus #Lua

Keypoints

  • Ramnit evolved from a 2010 worm into a modern banking trojan with advanced evasion, DGA capabilities, and web-inject features (ATS techniques).
  • The sLoad loader injects Ramnit into memory via a modified PowerSploit module, enabling in-memory execution and remote process injection.
  • Ramnit uses WmiPrvSE.exe to spawn child processes (ImagingDevices.exe, Wab.exe, Wabimg.exe) and perform reflective DLL injection for MiTB.
  • Man-In-The-Browser-style web injects hook target browser processes to capture data and modify interactions during fraud attempts.
  • The web-inject kit includes Lua-coded configuration with local and remote payloads to tailor injections for targeted corporate banking sites.
  • Persistence is achieved through a classic autorun-like mechanism, creating three startup files executed at every reboot, with encryption used to hide the code.
  • Ramnit employs a Domain Generation Algorithm (DGA) to obtain C2 domains and can extract indicators from memory during operation.

MITRE Techniques

  • [T1055] Process Injection – Ramnit core module injected in-memory via sLoad and reflectively injected into a process (‘in-memory via sLoad’ and ‘reflectively injects a .dll into a remote process’).
  • [T1059] Command and Scripting Interpreter – The attackers leverage a modified PowerSploit module to perform Ramnit in-memory injection (‘PowerSploit module for injecting the proper Ramnit core module in-memory via sLoad’).
  • [T1483] Domain Generation Algorithms – Ramnit uses a DGA to generate its C2 domains (‘Domains generated from the Ramnit DGA algorithm’).
  • [T1027] Obfuscated/Compressed Files and Information – The Ramnit code is encrypted to protect it from detection (‘encryption of the actual code related to Ramnit, it’s a strategy that pays off’).
  • [T1547] Boot or Logon Autostart Execution – Ramnit creates startup files that execute on each reboot (‘autorun program that starts the infection chain from scratch’ and ‘three files … executed each time the victim’s machine is rebooted’).
  • [T1056] Input Capture – Ramnit hooks target processes to perform the Man-In-The-Browser technique (‘hook target processes that are going to be used to perform the Man-In-The-Browser technique’).

Indicators of Compromise

  • [Hash] Ramnit installer – 94a98e5c3621133d40128cb334dedbec
  • [Domain] Ramnit C2 controller – 185.80.53.199

Read more: https://www.cleafy.com/cleafy-labs/uncovering-driban-fraud-operations-chapter-2

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint