Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
SEVERITY: High
CATEGORY: Cyber crime
ANALYSIS SUMMARY
Since September of 2018, Redaman banking malware has been distributed through malspam. In this campaign, the Russian language malspam is addressed to Russian email recipients, often with email addresses ending in .ru. These emails have file attachments. These file attachments are archived Windows executable files disguised as a PDF document.
When Windows executable first run, the Redamhe checks for a series of files and directories that could indicate that the malware is running in a sandbox or a virtualized environment. It throws an exception and exits if any of those files are found.
When proceeds, the executable drops a DLL file in the AppData\Local\Temp\ directory and creates a folder under C:\ProgramData\, then moves the DLL there.
The malware achieves persistence using a scheduled Windows task that allows the execution of the DLL at user logon.
After creating a scheduled task and causing the DLL to load, the initial Redaman executable file deletes itself.
Redaman uses an application-defined hook procedure to monitor browser activity, specifically Chrome, Firefox, and Internet Explorer. It then searches the local host for information related to the financial sector.
IMPACT
Download files
Log keystrokes
Capture screenshots
Ex-filtrate financial data
Monitor smart cards
Shut down the infected host
Modify DNS configuration
Steal clipboard data
Terminate running processes
Add certificates to the Windows store.
INDICATORS OF COMPROMISE
Remediation
Since the malware is being distributed through a MalSpam campaign, it is recommended to avoid opening any unexpected emails. Even if the source looks legitimate, do not click on attached links or file attachments without verifying authenticity of the email from the legitimate person.