Delaware, USA – January 24, 2019 – Financially motivated attackers are targeting victims in Russia this time, the Palo Alto threat intelligence team report. Redaman malware was spot being distributed in malspam attack during last four month of 2018.
The emails delivering Redaman targeted recipients mostly with email addresses ending in .ru who conduct transactions using Russian financial institutions. The recipients were vaguely informed about a financial issue that needs to be resolved and also received a zip, 7-zip, rar or gzip archives. Once the archive opened and the file double clicked, the Redaman execution began.
Redaman behaves as a typical banking trojan, checks if it is running in the analysis environment. Then it drops a DDL file in the user’s \Temp\ directory, creates a folder under \ProgramData\ directory and moves there the DDL file which is further made persistent as a scheduled Windows task.
Redaman monitors browser activity and looks for financial information. This trojan is also capable of downloading additional malware, acting as a keylogger, adding certificates and changing DNS settings to redirect users to the attackers’ servers. Adversaries often use built-in tools to gain persistence; therefore it is necessary to spot and investigate suspicious events on Windows systems. You can use free SIEM rule pack to monitor events in the areas of access control, user management, group management and maintenance of systems and services: https://my.socprime.com/en/integrations/windows-security-monitor-arcsight