Redaman uses screen capture and keylogging to capture the credentials needed to enter bank accounts online. A new malware campaign targeting Russian speakers uses debt threats and missing payments to duplicate victims to download and run a Trojan bank.
The round of attacks, as described by the Unit 42 security team of Palo Alto Network, was tracked in the last four months of 2018.
The attack vector is wide and involves the mass distribution of spam and phishing emails instead of specific attacks. However, the emails sent use a number of subject lines that can cause panic or fear in unsuspected victims-the threat of debtors or payments owed, a situation that many of us know.
These subject lines include “Debt due on Wednesday, “” Payment Verification “and “Document package for payment on 1 October, “amongst other financial issues. The subject headers are constantly changing, but the researchers say that “all have a common theme: they refer to a document or file for an alleged financial problem to be resolved by the recipient.”
“These messages are often vague and contain few details about the alleged financial problem, “added Unit 42.” Their only goal is to trick the recipient into opening the attached archive and double-clicking on the executable inside.
“The campaign focuses on spreading the so-called Redaman banking Trojan. This malware was first discovered in 2015 and was first known as the RTM banking trojan (.PDF).
The executable file containing the Trojan will first start a scan to determine if the program is running in a sandbox environment, commonly used by security researchers to unpack malware samples. If the malware uncovers files or directories that suggest virtualization or sandboxing on a Windows machine, the executable exits.
If the target machine appears legitimate, the Windows executable drops a DLL file into the temporary directory of the PC, creates a randomly named folder in the ProgramData directory, and moves the DLL to this folder with a random file name again.
The Redaman DLL creates a scheduled Windows task that triggers to maintain persistence every time the user logs on to the machine.
Malware uses a browsing monitoring system. Chrome, Firefox and Internet Explorer are of particular interest to Redaman, who will also seek information about banking or finance from the local host.
The aim of Redaman is to steal bank credentials and other data that can be used to compromise accounts and potentially steal funds from the victim or conduct identity theft once sent to the malware operators. The Trojan can also download additional files to an infected host, use keylogging, capture screenshots, record Windows desktop session video, alter DNS settings, steal clipboard data, terminate running processes and add Windows Store certificates.
Redaman have file attachments that are Windows executables disguised as. PDF documents or sent as.zip, 7-zip,.rar or.gz gzip files. Russian recipients are currently the main focus, but individuals are also targeted in the USA, the Netherlands, Sweden, Japan, Khazakstan, Finland, Germany, Austria and Spain.
Palo Alto expects to see new Redaman samples appearing in the wild in the next year.