An ongoing email phishing campaign designed to spread Redaman banking malware aggressively targeted Russian-speakers, especially those with .ru addresses, over the last four months of 2018.
Researchers at Palo Alto Networks’ Unit 42 division reported this week in a company blog post that from September through December, its threat intelligence service detected 3,845 email sessions with Redaman attachments. The vast majority of mail servers associated with both sending and receiving the malspam were based in Russia, with a small number scattered globally.
The phishing emails were spiked with malicious attachments featuring archived Windows executable files disguised as PDF documents. The formats of these files varied over time, shifting from .zip, to .7z to .rar to .gz.
The subject lines and message content also frequently changed; in fact, researchers found over 100 different examples of malspam communications over the four months. But they all had something in common: they were all intentionally vague, alluding to an unspecified issue (typically financial) that must be resolved. Examples included “Act of reconciliation September-October,” “Debt due Wednesday” and “Payment Verification.”
“Their [the attackers’] only goal is to trick the recipient into opening the attached archive and double clicking the executable contained within,” stated blog authors and Unit 42 researchers Brad Duncan and Mike Harbison.
Redaman first made its mark in 2015, and has evolved in the ensuing years. According to Duncan and Harbison, the Redaman version found in this campaign “uses an application-defined hook procedure to monitor browser activity, specifically Chrome, Firefox, and Internet Explorer,” and then “searches the local host for information related to the financial sector.”
Other malicious capabilities reportedly include downloading files to the infected host, keylogging, capturing screen shots and recording video of the Windows desktop, exfiltrating financial data targeting Russian banks, smart card monitoring, shutting down the host, altering DNS configurations through the Windows host file, retrieving clipboard data, terminating processes and adding certificates to the Windows store.
As an anti-analysis technique, Redaman also checks the local host for certain files or directories, the presence of which prompts the malware not to fully execute.