Openhunting Threat Library

Ranbyus

Ranbyus
(Type: Banking trojan, Backdoor, Info stealer, Credential stealer, Botnet)

(ESET) This banking trojan doesn’t have web-injection functionality and instead implements a targeted attack on specific banking/payment software. Win32/Spy.Ranbyus collects information about the infected system (active processes, OS version and so on) and forwards it to its command center. The main functionality for stealing money is based on a set of various form grabbers for specific payment software.

[News Analysis] Trends:

Total Trend: 6

Trend Per Year
2
2012
1
2013
1
2015
1
2016
1
2022


Trend Per Month
1
Jun 2012
1
Dec 2012
1
Jan 2013
1
May 2015
1
2016
1
Apr 2022



[News Analysis] News Mention Another Threat Name:

20 - Bateleur20 - BELLHOP20 - Griffon20 - SQLRat20 - POWERSOURCE20 - Andromeda20 - BABYMETAL20 - BlackCat20 - BlackMatter20 - BOOSTWRITE20 - Carbanak20 - Cobalt Strike20 - DNSMessenger20 - Dridex20 - DRIFTPIN20 - Gameover P2P20 - MimiKatz20 - Murofet20 - Qadars20 - Ranbyus20 - SocksBot


[TTP Analysis] Technique Performance:



[TTP Analysis] Mitre Attack Matrix:

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact


[Infrastructure Analysis] Based on Related IOC:

IP:Port Timestamp
Domain Timestamp
URL Timestamp


[Target Analysis] Region/Sector:

No information


References:

News Basic Information Indicator of Compromise Mitre Attack

News Article (Credit @Malpedia)

LE GROUPE CYBERCRIMINEL FIN7

2022-04-27 by ANSSI from ANSSI

Analysis of Attacks against Trading and Bank Card Systems

2016 by Group-IB from Group-IB

The DGA of Ranbyus

2015-05-22 by Johannes Bader from Johannes Bader Blog

Trojan.Win32/Spy.Ranbyus

2013-01-27 by Xylitol from Xylibox Blog

Win32/Spy.Ranbyus modifying Java code in RBS Ukraine systems

2012-12-19 by Aleksandr Matrosov from ESET Research

Smartcard vulnerabilities in modern banking malware

2012-06-05 by Aleksandr Matrosov from ESET Research

Basic Information (Credit @etda.or.th)

Tool: Ranbyus

Names: Ranbyus

Description: (ESET) This banking trojan doesn’t have web-injection functionality and instead implements a targeted attack on specific banking/payment software. Win32/Spy.Ranbyus collects information about the infected system (active processes, OS version and so on) and forwards it to its command center. The main functionality for stealing money is based on a set of various form grabbers for specific payment software.

Category: Malware

Type: Banking trojan, Backdoor, Info stealer, Credential stealer, Botnet

Information: https://www.welivesecurity.com/2012/12/19/win32spy-ranbyus-modifying-java-code-in-rbs/

Information: https://www.welivesecurity.com/2012/06/05/smartcard-vulnerabilities-in-modern-banking-malware/

Information: http://www.xylibox.com/2013/01/trojanwin32spyranbyus.html

Information: https://www.johannesbader.ch/2015/05/the-dga-of-ranbyus/

Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.ranbyus

Last-card-change: 2020-05-22

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact