A “Black” botnet campaign used the Ramnit malware to infect 100,000 systems in the last two months.
Ramnit, a recycled worm from Ramnit trojan avoids detection and work against networks. Ramnit firstly registered in 2010 as banking malware attacks networked systems mainly on Windows.
“According to researchers, NIGOWEB a second stage malware caused a more massive attack while working with a black botnet.”

Malware Proxy Server: Nigoweb + Black Botnet
Black Botnet and Nigoweb create a network of malicious proxy servers which infects machines. While operating as a high-centralized botnet, they divide into an independent botnet to infect Windows computer.
In the Black operation, Ramnit malware distributes itself via spam campaigns which infilter the extensive information. Ramnit which uses its binary protocol and is entirely different from its heritage banking trojan.
In an analysis, it is found that Ramnit has its own two layers of encryption which prevent its detection from antimalware and antiviruses.
Report from Check Point Analysis
“The proxy malware Ramnit supports back-connect mode, a relay mode, IP version 4 and 6 protocols. The first sample of Ramnit seen in 2017 supports TCP and UDP transport.”
The operators are building a massive, multi-purpose proxy botnet that could repeatedly be used for any number of nefarious purposes. This proxy server malware spread cryptomining, ransomware or other malware with DDoS attack and infiltrate the information.
In 2015, Europe announced the takedown of Ramnit C2 malware but later in the same year; the IBM security experts found a new version of Ramnit banking Trojan.
“This C&C server was active since 6th March 2018 but didn’t put attention because on the “black” botnet. However, in May-July 2018 researchers have detected many fraudulent activities.
A Complex Proxy Approach of Nigoweb
Ngioweb operates as both a regular back-connect proxy and a relay proxy. It offers a connection to a remote user for infecting the host. Sometimes Nigoweb access the local network internal resources on the infected machines.
As a relay proxy, Nigoweb makes chains of proxies after which user can’t trace the nefarious activities. Nigoweb will cover black botnet and Ramnit to avoid detection.
Black botnet first publishes the address of a victim machine in DNS and then resolves the address by connecting to it. Now the infected machine creates a new connection to the server to infect the host.
Ngioweb uses a two-stage C2 infrastructure; an unencrypted HTTP connection and an encrypted channel for controlling the malware.
Domain names resolved to the IP address of the Black C2 server controls old bots first seen in 2015. Researchers said. Here, finding the address of a botnet is difficult.
Also, antimalware tools fail to predict whether the address belongs to the attacker or merely another bot. Since the antimalware tools fail, the C2 server does not upload additional modules, but web injects Ramnit.

Ramnit Trojan to Black Botnet
The Black botnet is the result of the evolution of Ramnit trojan. In 2010 Ramnit was a self-replicating worm. However, in 2011 Ramnit used the Zeus banking trojan’s source code and became a banking trojan.
Ramnit steals banking credentials, hacks social networking accounts and hijack FTP log-in. Moreover, cyber attackers have enhanced evasion techniques of Ramnit to protect triggering of software.
Additionally, the combination of a mule to Ramnit disables your computer.
Ramnit in the shadow of Black Botnet has infected more than 4 million Windows computers by 2015 in fraud services.
We recommend Malware Crusher at your home based Windows computer systems.
Tips to Prevent virus and malware from Infecting Your System:
- Enable your popup blocker: Pop-ups and ads on the websites are the most adoptable tactic used by cybercriminals or developers with the core intention to spread malicious programs.
So, avoid clicking uncertain sites, software offers, pop-ups etc. and Install a powerful ad- blocker for Chrome, Mozilla, and IE
- Keep your Windows Updated: To avoid such infections, we recommend that you should always keep your system updated through automatic windows update.By doing this you can keep your device free from virus.According to the survey, outdated/older versions of Windows operating system are an easy target.
- Third-party installation: Try to avoid freeware download websites as they usually install bundled of software with any installer or stub file.
- Regular Backup: Regular and periodical backup helps you to keep your data safe in case the system is infected by any kind of virus or any other infection.Thus always backup important files regularly on a cloud drive or an external hard drive.
- Always have an Anti-Virus: Precaution is better than cure. We recommend that you install an antivirus like ITL Total Security or a good Malware Removal Tool like Download Virus RemovalTool