Experts at Palo Alto Networks continue to monitor an ongoing spam campaign that has been distributing the Redaman banking malware.
The malware was first observed in the threat landscape in 2015, most of the victims were customers of Russian financial institutions. The malicious code was initially reported as the RTM banking Trojan, both Symantec and Microsoft detected
Between September and December 2018 the experts observed a variant of the
Threat actors target Russian email recipients (email addresses ending in .ru) with messages using archived Windows executable files disguised as a PDF document.
“Since September of 2018,
“These emails have file attachments. These file attachments are archived Windows executable files disguised as a PDF document.”
In the last campaign, Palo Alto Networks detected 3,845 email sessions with R
The top 5 senders were Russia (3,456 sessions), Belarus (98), Ukraine (93), Estonia (29), and Germany (30), while the top 5 recipients were Russia (2,894), Netherlands (195), United States (55), Sweden (24), and Japan (16).
When Windows executable first run, the Redamhe checks for a series of files and directories that could indicate that the malware is running in a sandbox or a virtualized environment. It throws an exception and exits if any of those files are found.
When proceeds, the executable drops a DLL file in the AppData\Local\Temp\ directory and creates a folder under C:\ProgramData\, then moves the DLL there.
The malware achieves persistence using a scheduled Windows task that allows the execution of the DLL at user
“After creating a scheduled task and causing the DLL to load, the initial
The Redaman the activity of the most popular browsers (Chrome, Firefox, and Internet Explorer), it is able to download files, log keystrokes, capture screenshots and record video of the desktop, collect and exfiltrate financial data, monitor smart cards, shut down the infected host, modify DNS configuration, steal clipboard data, terminate running processes, and add certificates to the Windows store.
“Since it was first noted in 2015, this family of banking malware continues targeting recipients who conduct transactions with Russian financial institutions.” Palo Alto Networks concludes.
“We found over 100 examples of malspam during the last four months of 2018. We expect to discover new