Pierluigi Paganini January 24, 2019

A still ongoing spam campaign that has been active during the last months has been distributing the Redaman banking malware.

Experts at Palo Alto Networks continue to monitor an ongoing spam campaign that has been distributing the Redaman banking malware.

The malware was first observed in the threat landscape in 2015, most of the victims were customers of Russian financial institutions. The malicious code was initially reported as the RTM banking Trojan, both Symantec and Microsoft detected Redaman in 2017 and classified it as a variant of RTM.

Between September and December 2018 the experts observed a variant of the Redaman banking malware that was in Russian language and that was distributed via spam campaigns. 

Threat actors target Russian email recipients (email addresses ending in .ru) with messages using archived Windows executable files disguised as a PDF document.

“Since September of 2018, Redaman banking malware has been distributed through malspam. In this campaign, the Russian language malspam is addressed to Russian email recipients, often with email addresses ending in .ru.” reads the analysis published by Palo Alto Networks.

“These emails have file attachments. These file attachments are archived Windows executable files disguised as a PDF document.”

In the last campaign, Palo Alto Networks detected 3,845 email sessions with Redaman attachment.

The top 5 senders were Russia (3,456 sessions), Belarus (98), Ukraine (93), Estonia (29), and Germany (30), while the top 5 recipients were Russia (2,894), Netherlands (195), United States (55), Sweden (24), and Japan (16).

When Windows executable first run, the Redamhe checks for a series of files and directories that could indicate that the malware is running in a sandbox or a virtualized environment. It throws an exception and exits if any of those files are found.

When proceeds, the executable drops a DLL file in the AppData\Local\Temp\ directory and creates a folder under C:\ProgramData\, then moves the DLL there.

The malware achieves persistence using a scheduled Windows task that allows the execution of the DLL at user logon.

“After creating a scheduled task and causing the DLL to load, the initial Redaman executable file deletes itself. ” continues the analysis. 

“Redaman uses an application-defined hook procedure to monitor browser activity, specifically Chrome, Firefox, and Internet Explorer. It then searches the local host for information related to the financial sector.”

The Redaman the activity of the most popular browsers (Chrome, Firefox, and Internet Explorer), it is able to download files, log keystrokes, capture screenshots and record video of the desktop, collect and exfiltrate financial data, monitor smart cards, shut down the infected host, modify DNS configuration, steal clipboard data, terminate running processes, and add certificates to the Windows store.

“Since it was first noted in 2015, this family of banking malware continues targeting recipients who conduct transactions with Russian financial institutions.” Palo Alto Networks concludes. 

“We found over 100 examples of malspam during the last four months of 2018. We expect to discover new Redaman samples as 2019 progresses,”

Pierluigi Paganini

(SecurityAffairs – Redaman banking Trojan, spam)

[adrotate banner=”5″] [adrotate banner=”13″]