CATEGORY: Cyber crime
Since September of 2018, Redaman banking malware has been distributed through malspam. In this campaign, the Russian language malspam is addressed to Russian email recipients, often with email addresses ending in .ru. These emails have file attachments. These file attachments are archived Windows executable files disguised as a PDF document.
When Windows executable first run, the Redamhe checks for a series of files and directories that could indicate that the malware is running in a sandbox or a virtualized environment. It throws an exception and exits if any of those files are found.
When proceeds, the executable drops a DLL file in the AppData\Local\Temp\ directory and creates a folder under C:\ProgramData\, then moves the DLL there.
The malware achieves persistence using a scheduled Windows task that allows the execution of the DLL at user logon.
After creating a scheduled task and causing the DLL to load, the initial Redaman executable file deletes itself.
Redaman uses an application-defined hook procedure to monitor browser activity, specifically Chrome, Firefox, and Internet Explorer. It then searches the local host for information related to the financial sector.
Ex-filtrate financial data
Monitor smart cards
Shut down the infected host
Modify DNS configuration
Steal clipboard data
Terminate running processes
Add certificates to the Windows store.
INDICATORS OF COMPROMISE
Since the malware is being distributed through a MalSpam campaign, it is recommended to avoid opening any unexpected emails. Even if the source looks legitimate, do not click on attached links or file attachments without verifying authenticity of the email from the legitimate person.