{ "id": "c9a31731-d633-4b64-82c2-f451cf92f624", "created_at": "2026-04-06T00:09:02.324234Z", "updated_at": "2026-04-10T13:12:59.519982Z", "deleted_at": null, "sha1_hash": "2d4dc68bbc1a73c435ccf4ba8e886bbc1e61e62d", "title": "Win32/Spy.Ranbyus modifying Java code in RBS Ukraine systems", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 183383, "plain_text": "Win32/Spy.Ranbyus modifying Java code in RBS Ukraine systems\r\nBy Aleksandr Matrosov\r\nArchived: 2026-04-05 23:05:15 UTC\r\nMalware\r\nWin32/Spy.Ranbyus shows how it is possible to bypass payment transaction signing/authentication with smartcard\r\ndevices and has started to modify java code in one of the most popular remote banking systems (RBS) in the\r\nUkraine.\r\n19 Dec 2012  •  , 2 min. read\r\nI’ve already mentioned the Win32/Spy.Ranbyus family in my previous blog post about smartcard monitoring in\r\nmodern banking malware (Smartcard vulnerabilities in modern banking malware). It displays really interesting\r\nfunctionality because it shows how it is possible to bypass payment transaction signing/authentication with\r\nsmartcard devices. We have been tracking the latest modification to this malware family and the trojan Ranbyus\r\nhas started to modify java code in one of the most popular remote banking systems (RBS) in the Ukraine, BIFIT's\r\niBank 2. ESET Virus Radar statistics show that Ukraine is the region most affected ever by Ranbyus infection.\r\nThis banking trojan doesn’t have web-injection functionality and instead implements a targeted attack on specific\r\nbanking/payment software. Win32/Spy.Ranbyus collects information about the infected system (active processes,\r\nOS version and so on) and forwards it to its command center. The main functionality for stealing money is based\r\non a set of various form grabbers for specific payment software. For example, grabbers for software developed for\r\nthe java platform look like this:\r\nhttps://www.welivesecurity.com/2012/12/19/win32spy-ranbyus-modifying-java-code-in-rbs/\r\nPage 1 of 4\n\nI’ve already disclosed information about java patching functionality in another banking malware family, Carberp\r\n(Carberp Gang Evolution: CARO 2012 presentation). Carberp has specific functionality for modifying the JVM\r\n(Java Virtual Machine) and tracking payment software activity. And Ranbyus is based on a different method,\r\nmodifying java code only for specific application without changing the JVM. For example, Ranbyus can modify\r\nthe balance figures so as to hide information about fake transactions implemented through the malware.\r\n[Tracked java methods used by Win32/Spy.Ranbyus]\r\nIn addition, Win32/Spy.Ranbyus can block RBS software activity and show the following message in the Russian\r\nlanguage:\r\nhttps://www.welivesecurity.com/2012/12/19/win32spy-ranbyus-modifying-java-code-in-rbs/\r\nPage 2 of 4\n\nTranslated from the Russian the message looks like this:\r\n“Technical work is being performed on the server, and the service may be temporarily unavailable. We apologize\r\nfor the inconvenience”.\r\nRanbyus targets Ukrainian and Russian banks and is never seen in campaigns targeting other regions.  The\r\ncommand center panel for the Win32/Spy.Ranbyus botnet looks like this:\r\nThe Carberp gang is the (crime) market leader in the Russian region and has already secured a  safe position in the\r\ntop 20 most active threats in Russia for a full year (Carberp, the renaissance). Ranbyus has the leading position\r\namong banking malware in the Ukrainian region.\r\nThe SHA1 hash for the Win32/Spy.Ranbyus.I dropper mentioned here is:\r\nee6c14f26962447a30823f9f8d20a53d29322617\r\nSpecial thanks to my colleagues Anton Cherepanov and Dmitry Volkov (Group-IB).\r\nAleksandr Matrosov, Security Intelligence Team Lead\r\nLet us keep you\r\nup to date\r\nSign up for our newsletters\r\nhttps://www.welivesecurity.com/2012/12/19/win32spy-ranbyus-modifying-java-code-in-rbs/\r\nPage 3 of 4\n\nSource: https://www.welivesecurity.com/2012/12/19/win32spy-ranbyus-modifying-java-code-in-rbs/\r\nhttps://www.welivesecurity.com/2012/12/19/win32spy-ranbyus-modifying-java-code-in-rbs/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.welivesecurity.com/2012/12/19/win32spy-ranbyus-modifying-java-code-in-rbs/" ], "report_names": [ "win32spy-ranbyus-modifying-java-code-in-rbs" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434142, "ts_updated_at": 1775826779, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2d4dc68bbc1a73c435ccf4ba8e886bbc1e61e62d.pdf", "text": "https://archive.orkl.eu/2d4dc68bbc1a73c435ccf4ba8e886bbc1e61e62d.txt", "img": "https://archive.orkl.eu/2d4dc68bbc1a73c435ccf4ba8e886bbc1e61e62d.jpg" } }