Redaman Banking Trojan of 2015 Resurrects, Targets Russian Email Users
A 2015-era banking trojan is seen actively spreading in the wild again, this time specifically targeting potential victims from a specific country only. Palo Alto Networks detected massive number of phishing emails containing the Redaman banking trojan targeting emails ending with .ru domain. Formerly known as RTM banking trojan in 2015, the Redaman malware is spreading through Russian-language spam emails containing a .pdf pretend file. Once opened, the attached .pdf file does not open directly in Adobe reader but unpack itself to a regular trojan horse, infecting the PC where it is opened. Other versions of the phishing email uses .zip, .gz or rar files instead of PDF, but the effect is the same. The program contained in the pretend file executes instead of opening the associated program for the file extension.
“Since September of 2018, Redaman banking malware has been distributed through malspam. In this campaign, the Russian language malspam is addressed to Russian email recipients, often with email addresses ending in .ru. These emails have file attachments. These file attachments are archived Windows executable files disguised as a PDF document,” explained Palo Alto Networks.
The focus of the phishing campaign is against Russian email users (2894 samples), followed by Netherlands with 195, Sweden with 24 and the United States with 55 samples. The Redaman malware is updated with the capability to detect if the system it runs is a real hardware or a virtual machine. It refuses to infect a system if it determines that it is not running on a real hardware platform. Unlike the RTM banking trojan, Redaman has the capability to edit the DNS configuration of the infected computer, save the content of the Windows Clipboard, capability to forcibly terminate a Windows process and even add rogue certificates in the Windows Certificate database.
The malware is also universally browser version aware, as it supports all versions of Chrome and Firefox browsers and legacy browser like Internet Explorer. By attaching itself into the running browser, it monitors the activities in the computer as it contains RAT-like (Remote Access Trojan) features in hopes to one-day capture banking information/user credential. The malware is expected to gain more features as its virus authors are obviously trying to improve their creation, to further increase the chance to steal banking information from unsuspecting users.
“After creating a scheduled task and causing the DLL to load, the initial Redaman executable file deletes itself. Redaman uses an application-defined hook procedure to monitor browser activity, specifically Chrome, Firefox, and Internet Explorer. It then searches the local host for information related to the financial sector. Since it was first noted in 2015, this family of banking malware continues targeting recipients who conduct transactions with Russian financial institutions. We found over 100 examples of malspam during the last four months of 2018. We expect to discover new Redaman samples as 2019 progresses,” emphasize the Palo Alto Networks.
Currently, it is still unknown where the new version of Redaman originally came from, but the samples of malware came from: Russia (3,456 sessions), Belarus (98), Ukraine (93), Estonia (29), Germany (30), United States (21), Netherlands (12), Great Britain (7), Switzerland (7), and Latvia (2).