Threat Management, Malware, Phishing

Russians targeted in Redaman banking malware operation

An ongoing email phishing campaign designed to spread Redaman banking malware aggressively targeted Russian-speakers, especially those with .ru addresses, over the last four months of 2018.

Researchers at Palo Alto Networks' Unit 42 division reported this week in a company blog post that from September through December, its threat intelligence service detected 3,845 email sessions with Redaman attachments. The vast majority of mail servers associated with both sending and receiving the malspam were based in Russia, with a small number scattered globally.

The phishing emails were spiked with malicious attachments featuring archived Windows executable files disguised as PDF documents. The formats of these files varied over time, shifting from .zip, to .7z to .rar to .gz.

The subject lines and message content also frequently changed; in fact, researchers found over 100 different examples of malspam communications over the four months. But they all had something in common: they were all intentionally vague, alluding to an unspecified issue (typically financial) that must be resolved. Examples included "Act of reconciliation September-October," "Debt due Wednesday" and "Payment Verification."

"Their [the attackers'] only goal is to trick the recipient into opening the attached archive and double clicking the executable contained within," stated blog authors and Unit 42 researchers Brad Duncan and Mike Harbison.

Redaman first made its mark in 2015, and has evolved in the ensuing years. According to Duncan and Harbison, the Redaman version found in this campaign "uses an application-defined hook procedure to monitor browser activity, specifically Chrome, Firefox, and Internet Explorer," and then "searches the local host for information related to the financial sector."

Other malicious capabilities reportedly include downloading files to the infected host, keylogging, capturing screen shots and recording video of the Windows desktop, exfiltrating financial data targeting Russian banks, smart card monitoring, shutting down the host, altering DNS configurations through the Windows host file, retrieving clipboard data, terminating processes and adding certificates to the Windows store.

As an anti-analysis technique, Redaman also checks the local host for certain files or directories, the presence of which prompts the malware not to fully execute.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.