Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
March 17, 2023Severity High Analysis Summary Chaos is a customizable ransomware builder that emerged on June 9 2021 (in underground forums) by falsely marketing itself as the .NET […]March 17, 2023Severity High Analysis Summary CVE-2023-26361 CVSS:4.9 Adobe ColdFusion could allow a remote authenticated attacker to traverse directories on the system. An attacker could send a specially […]March 17, 2023Severity Medium Analysis Summary Ursnif banking trojan also known as Gozi and Dreambot has been around for more than 10 years. It gained popularity in 2015 […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
March 17, 2023Severity High Analysis Summary Chaos is a customizable ransomware builder that emerged on June 9 2021 (in underground forums) by falsely marketing itself as the .NET […]March 17, 2023Severity High Analysis Summary CVE-2023-26361 CVSS:4.9 Adobe ColdFusion could allow a remote authenticated attacker to traverse directories on the system. An attacker could send a specially […]March 17, 2023Severity Medium Analysis Summary Ursnif banking trojan also known as Gozi and Dreambot has been around for more than 10 years. It gained popularity in 2015 […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Alert – New Rumba STOP Ransomware Being Installed by Software Cracks
January 23, 2019Rewterz Threat Advisory – CVE-2019-3462 – Critical flaw in Linux APT Package Manager could Allow Remote Hack
January 25, 2019
SEVERITY: High
CATEGORY: Cyber crime
ANALYSIS SUMMARY
Since September of 2018, Redaman banking malware has been distributed through malspam. In this campaign, the Russian language malspam is addressed to Russian email recipients, often with email addresses ending in .ru. These emails have file attachments. These file attachments are archived Windows executable files disguised as a PDF document.
When Windows executable first run, the Redamhe checks for a series of files and directories that could indicate that the malware is running in a sandbox or a virtualized environment. It throws an exception and exits if any of those files are found.
When proceeds, the executable drops a DLL file in the AppData\Local\Temp\ directory and creates a folder under C:\ProgramData\, then moves the DLL there.
The malware achieves persistence using a scheduled Windows task that allows the execution of the DLL at user logon.
After creating a scheduled task and causing the DLL to load, the initial Redaman executable file deletes itself.
Redaman uses an application-defined hook procedure to monitor browser activity, specifically Chrome, Firefox, and Internet Explorer. It then searches the local host for information related to the financial sector.
IMPACT
Download files
Log keystrokes
Capture screenshots
Ex-filtrate financial data
Monitor smart cards
Shut down the infected host
Modify DNS configuration
Steal clipboard data
Terminate running processes
Add certificates to the Windows store.
INDICATORS OF COMPROMISE
- IP(s) / Hostname(s)
- 104.28.16[.]33
- 185.141.61[.]246
- 193.37.213[.]28
- Ports
- 443
- 80
- Extension
- .ZIP
- .RAR
- .7Z
- OR
- .GZ
- Email Subject
- Act of reconciliation September-October
- All package of last month’s documents
- All docs for August-September
- Debt due Wednesday
- Documents Verification for October 2018
- Application for return for November
- Check the environment
- Sending on last week
- The package of documents for payment 1st October
- Payment Verification
- Malware Hash (MD5/SHA1/SH256)
- f6fb51809caec2be6164863b5773a7ee3ea13a449701a1f678f0655b6e8720df
- cd961e81366c8d9756799ec8df14edaac5e3ae4432c3dbf8e3dd390e90c3e22f
Remediation
Since the malware is being distributed through a MalSpam campaign, it is recommended to avoid opening any unexpected emails. Even if the source looks legitimate, do not click on attached links or file attachments without verifying authenticity of the email from the legitimate person.