Today, in the Threat Hunting Rules category, we are pleased to present you a new rule developed by Ariel Millahuel, which detects Redaman RAT: https://tdm.socprime.com/tdm/info/gAF3sheoIG9y/qtkZmnMBQAH5UgbBy6do/?p=1
Redaman is a form of banking trojans distributed by phishing campaigns. It was first seen in 2015 and reported as the RTM banking Trojan, new versions of Redaman appeared in 2017 and 2018. In September 2019, researchers identified a new version of this malware that utilizes never seen before technique to hide Pony C&C server IP addresses inside the Bitcoin blockchain: the trojan connects to Bitcoin blockchain and chaining transactions in order to find the hidden C&C server.
A recently discovered version of Radaman trojan shows new behavior. It is related to modifying Root certificates and abusing the rundll32 execution in order to deploy malicious files. This malware is often used in malspam campaigns, and therefore its authors are constantly improving it and teaching new tricks.
The rule has translations for the following platforms:
SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio
EDR: Microsoft Defender ATP, Carbon Black, Elastic Endpoint
Tactics: Execution, Defense Evasion, Persistence, Privilege Escalation
Techniques: Install Root Certificate (T1130), Scheduled Task (T1053)