Researchers at Checkpoint discovered a large botnet called Black, created by operators of the banking trojan Ramnit.
For the first time about Ramnit it became known in 2010. At that time, the malware was a network worm, but in 2011 it was improved with the leaked source code of the Zeus Trojan and is currently one of the most popular banking Trojans. In 2014, Ramnit took the fourth place among the largest botnets. In 2015, the C & C infrastructure of the botnet was disabled by the joint efforts of Interpol and technology companies. However, a few months later a new version of the Trojan appeared.
Recently discovered botnet Black in just two months managed to infect 100 thousand systems, and this is just the beginning. According to researchers, now the second stage of the campaign is running, during which the malicious software Ngioweb is distributed.
As the researchers report, the Ramnit C & C server (18.104.22.168) is active since March 6 of this year, but at that time it did not attract attention due to the small scale of the botnet. However, in May-July, a new malicious campaign was recorded, during which 100 thousand systems were infected.
Ramnit spreads through spam. Once installed on the system, malware downloads malware Ngioweb, which is a multifunctional proxy server and uses its own protocol with two levels of encryption.