Rewterz Threat Advisory – Russian language Malspam Campaign spreading Redaman Banking Malware

SEVERITY: High

CATEGORY: Cyber crime

ANALYSIS SUMMARY

Since September of 2018, Redaman banking malware has been distributed through malspam. In this campaign, the Russian language malspam is addressed to Russian email recipients, often with email addresses ending in .ru. These emails have file attachments. These file attachments are archived Windows executable files disguised as a PDF document.

When Windows executable first run, the Redamhe checks for a series of files and directories that could indicate that the malware is running in a sandbox or a virtualized environment. It throws an exception and exits if any of those files are found.

When proceeds, the executable drops a DLL file in the AppData\Local\Temp\ directory and creates a folder under C:\ProgramData\, then moves the DLL there.

The malware achieves persistence using a scheduled Windows task that allows the execution of the DLL at user logon.

After creating a scheduled task and causing the DLL to load, the initial Redaman executable file deletes itself.

Redaman uses an application-defined hook procedure to monitor browser activity, specifically Chrome, Firefox, and Internet Explorer. It then searches the local host for information related to the financial sector.

IMPACT

Download files
Log keystrokes
Capture screenshots
Ex-filtrate financial data
Monitor smart cards
Shut down the infected host
Modify DNS configuration
Steal clipboard data
Terminate running processes
Add certificates to the Windows store.

INDICATORS OF COMPROMISE

• IP(s) / Hostname(s)
• 104.28.16[.]33
• 185.141.61[.]246
• 193.37.213[.]28

• Ports
• 443
• 80

• Extension
• .ZIP
• .RAR
• .7Z
• OR
• .GZ

• Email Subject
• Act of reconciliation September-October
• All package of last month’s documents
• All docs for August-September
• Debt due Wednesday
• Documents Verification for October 2018
• Application for return for November
• Check the environment
• Sending on last week
• The package of documents for payment 1st October
• Payment Verification

• Malware Hash (MD5/SHA1/SH256)
• f6fb51809caec2be6164863b5773a7ee3ea13a449701a1f678f0655b6e8720df
• cd961e81366c8d9756799ec8df14edaac5e3ae4432c3dbf8e3dd390e90c3e22f

Remediation
Since the malware is being distributed through a MalSpam campaign, it is recommended to avoid opening any unexpected emails. Even if the source looks legitimate, do not click on attached links or file attachments without verifying authenticity of the email from the legitimate person.