• Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Press Release
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – New Rumba STOP Ransomware Being Installed by Software Cracks
January 23, 2019
Rewterz Threat Advisory – CVE-2019-3462 – Critical flaw in Linux APT Package Manager could Allow Remote Hack
January 25, 2019

Rewterz Threat Advisory – Russian language Malspam Campaign spreading Redaman Banking Malware

January 25, 2019

SEVERITY: High

 

 

CATEGORY: Cyber crime

 

 

ANALYSIS SUMMARY

 

 

Since September of 2018, Redaman banking malware has been distributed through malspam. In this campaign, the Russian language malspam is addressed to Russian email recipients, often with email addresses ending in .ru. These emails have file attachments. These file attachments are archived Windows executable files disguised as a PDF document.

 

When Windows executable first run, the Redamhe checks for a series of files and directories that could indicate that the malware is running in a sandbox or a virtualized environment. It throws an exception and exits if any of those files are found.

 

When proceeds, the executable drops a DLL file in the AppData\Local\Temp\ directory and creates a folder under C:\ProgramData\, then moves the DLL there.

 

 

The malware achieves persistence using a scheduled Windows task that allows the execution of the DLL at user logon.

 

After creating a scheduled task and causing the DLL to load, the initial Redaman executable file deletes itself.

 

Redaman uses an application-defined hook procedure to monitor browser activity, specifically Chrome, Firefox, and Internet Explorer. It then searches the local host for information related to the financial sector.

 

 

 

 

IMPACT

 

Download files
Log keystrokes
Capture screenshots
Ex-filtrate financial data
Monitor smart cards
Shut down the infected host
Modify DNS configuration
Steal clipboard data
Terminate running processes
Add certificates to the Windows store.

 

 

INDICATORS OF COMPROMISE

 

 

  • IP(s) / Hostname(s)
  • 104.28.16[.]33
  • 185.141.61[.]246
  • 193.37.213[.]28

 

 

  • Ports
  • 443
  • 80

 

 

  • Extension
  • .ZIP
  • .RAR
  • .7Z
  • OR
  • .GZ

 

 

  • Email Subject
  • Act of reconciliation September-October
  • All package of last month’s documents
  • All docs for August-September
  • Debt due Wednesday
  • Documents Verification for October 2018
  • Application for return for November
  • Check the environment
  • Sending on last week
  • The package of documents for payment 1st October
  • Payment Verification

 

 

  • Malware Hash (MD5/SHA1/SH256)
  • f6fb51809caec2be6164863b5773a7ee3ea13a449701a1f678f0655b6e8720df
  • cd961e81366c8d9756799ec8df14edaac5e3ae4432c3dbf8e3dd390e90c3e22f

 

 

Remediation
Since the malware is being distributed through a MalSpam campaign, it is recommended to avoid opening any unexpected emails. Even if the source looks legitimate, do not click on attached links or file attachments without verifying authenticity of the email from the legitimate person.

  • Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.