Ramnit keeps coming back

June 2, 2018

SonicWall has been observing a new variant of Ramnit lately. Ramnit a persistent VBScript worm first appeared around 2010, known for spreading aggressively by self-replicating & injecting into other processes, executables, dll & html files. To give some history, Ramnit use compromised websites to host malicious VBScript to infect users visiting those pages.  Ramnit botnet infrastructure caught lot of attention & it has been taken down in a major attempt.


Infection Cycle:

Using social engineering attacks or phishing email campaign, payload file can be delivered to users. Upon launching the file, it executes VBScript & drops the malicious executable "svchost.exe" that replicates & injects itself  into the system files & processes. Later it opens a back door and connect to a C&C server to steal information from the compromised computer.


Although the file extension is .html, its header & format has been crafted to look like a PDF to evade from detection. PDF static analyzer would fail to parse VBScript stream content and
dynamic analysis would not help either as PDF do not support VBScript.
As shown below, malicious VBScript is appended after the PDF content
Upon launching the file in IE, activex warning pops up in the newer versions of IE. 
VBScript in the html page gets executed after allowing activex. It then creates svchost.exe, drops it into the user %Temp% directory and finally runs it from the same path.
svchost.exe creates more executable files "Desktoplayer.exe" & "DesktoplayerSrv.exe"
It starts looking for html files in the system and infect them by appending the malicious VBScript to it.
svchost.exe running from the %Temp% location, changes the system registry entries, spawns the process "chrome.exe" & later injects itself into it.
Malicious svchost.exe running under the spawned process "chrome.exe"
When the system is compromised, it connects to C2C server fget-career.com, which has previously involved in Ramnit campaigns.
Find below the activity of Ramnit in PDF format

SonicWALL Threat Lab provides protection against this threat via the following signature:

  • Ramnit.VBS.Dropper