Threat Hunting Rules: Redaman RAT

Today, in the Threat Hunting Rules category, we are pleased to present you a new rule developed by Ariel Millahuel, which detects Redaman RAT: https://tdm.socprime.com/tdm/info/gAF3sheoIG9y/qtkZmnMBQAH5UgbBy6do/?p=1

Redaman is a form of banking trojans distributed by phishing campaigns. It was first seen in 2015 and reported as the RTM banking Trojan, new versions of Redaman appeared in 2017 and 2018.  In September 2019, researchers identified a new version of this malware that utilizes never seen before technique to hide Pony C&C server IP addresses inside the Bitcoin blockchain: the trojan connects to Bitcoin blockchain and chaining transactions in order to find the hidden C&C server.

A recently discovered version of Radaman trojan shows new behavior. It is related to modifying Root certificates and abusing the rundll32 execution in order to deploy malicious files. This malware is often used in malspam campaigns, and therefore its authors are constantly improving it and teaching new tricks.

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio

EDR: Microsoft Defender ATP, Carbon Black, Elastic Endpoint

MITRE ATT&CK: 

Tactics: Execution, Defense Evasion, Persistence, Privilege Escalation

Techniques: Install Root Certificate (T1130), Scheduled Task (T1053)

Ready to try out SOC Prime TDM? Sign up for free. Or join Threat Bounty Program to craft your own content and share it with the TDM community.