An ongoing malicious spam campaign is currently targeting Russian-speaking users with samples of the Redaman banking malware.
Since at least September 2018, the malspam campaign has been sending out malicious spam emails written in Russian to users who mostly have email addresses ending in “.ru.” The emails use various subject lines, message content and attachment names to inform a recipient that there’s a financial issue which they must resolve. Not surprisingly, those emails are all vague about what the exact issue is. Their purpose is to trick the recipient into thinking they can solve the problem by downloading the attached file.
When opened, the attached archive reveals an executable that, when double-clicked by the recipient, downloads Redaman.
First detected as “RTM,” Redaman is a form of banking malware that’s been active since at least 2015. This trojan uses an application-defined hook procedure to monitor activity in Chrome, Firefox and Internet Explorer. It’s also capable of monitoring keystrokes, downloading additional files onto the infected host and collecting/exfiltrating financial data associated with Russian banks.
Palo Alto Networks’ AutoFocus threat intelligence platform found a total of 3,845 emails containing attachments tagged as Redaman between September 2018 and December 2018. Russia was first on the mail server lists for the top 10 senders and top 10 recipients at 3,456 and 2,894, respectively. Belarus followed far behind Russia on the sender list at 98. By comparison, The Netherlands and the United States came in at second and third on the recipient list at 195 and 55, respectively.
Unit 42’s Brad Duncan and Mike Harbison don’t think Redaman is going anywhere anytime soon. As they explained in a blog post:
Since it was first noted in 2015, this family of banking malware continues targeting recipients who conduct transactions with Russian financial institutions. We found over 100 examples of malspam during the last four months of 2018…. We expect to discover new Redaman samples as 2019 progresses.
Users can protect themselves against malware like Redaman by familiarizing themselves with the most common types of phishing attacks. Concurrently, organizations can defend against a Redaman infection by using a security solution like Tripwire Malware that leverages real-time analysis to detect zero-day attacks and other malware threats. Learn more here.