A recent spam campaign distributed banking malware, Redaman, targeting customers of Russian financial institutions. The spate of campaigns was first detected in 2015 and has since affected users in Russia, Netherlands, the US, Japan and Sweden. Reports further show that malware distributors used servers based in Russia, Ukraine, Germany and Estonia. Palo Alto Networks noted over 100 cases in the year of 2018 alone. The mail spams targeted email addresses ending in .ru.
How it works
The malware distributor uses the traditional method of dispatching mail spam, with an attached archive format file. The formats can consist of zip files, RAR, OR, GZ and 7Z. Once a user clicks on the extracted EXE file (which usually commands a device to run the file), the Redaman malware deploys and is free to carry out its motives. The document the user clicks on is the usual PDF file. The email contains messages relating to payment owed, documents of money owed and payment verification. By being vague in content, it heightens users curiosity, making them feel that they will understand more after reading it, by then they have clicked on and activated the malware. This message content targets those in financial difficulty or debt.
Behind the scenes, once executed the malware checks for files that are sandboxed or emulated and exits if it finds this to be the case. If not, the malware continues by dropping a DLL file in a users’ temporary directory, AppData\Local\Temp\.
Upon creating a folder for itself, it moves the DLL into it. The malware then uses Windows scheduled task to load it each time the user logs into their device. It aims to stay undetected whilst monitoring the users’ activity. It obtains financial data and uses it for fraudulent activity. To steal credentials, it downloads data directly from the PC or captures screenshots. By monitoring keylogging, it can also pick up hashed data such as passwords.
The Redeman mail spam campaigns characteristics are traditional with a twist. Although sent widely, it targets a group of individuals within Russia and uses different message content. It targets Russia whilst sending within Russia with the objective to steal financial data. These are all characteristics found in cybercriminals and organised crime groups.