Ramnit
This unique banking trojan started out in 2010 as a worm and, sometime after the Zeus source code leak, acquired parts of the Zeus code and became a banking trojan.Ramnit has continued to evolve in terms of sophistication, technique, and scope as a botnet since becoming a banking trojan. It remains active despite a shutdown of 300 command-and-control servers in February 2015.51 After this setback, Ramnit reappeared in late 2015 and again in mid 2016.52 In early 2017, F5 labs published a technical article breaking down Ramnit’s new disappearing configuration file. Like many other banking trojans, Ramnit has broadened its scope in recent years. Over the 2017 holiday season, Ramnit’s target list was 64% eCommerce retailers in addition to financial services institutions. In 2018, Ramnit continued to work quickly, infecting over 100,000 machines in two months.Ramnit continues to be distributed via exploit kit and still runs active campaigns today, most recently returning back to target Italian financial institutions.