• The banking trojan is picking on Russian bank customers by sending emails with .rar archives disguised as PDF.
  • Originating in 2015, Redaman has evolved with advanced capabilities such as terminating running processes, smart card monitoring etc.

Redaman, a banking trojan that emerged in 2015 is back again with more, improved features. This time, it has targeted customers of Russian banks and institutions.

According to security firm Palo Alto Networks that tracked Redaman's activity, the trojan was distributed through mass malspams in the Russian language from September to December 2018.

Malspam campaign

As mentioned earlier, Redaman is spread through malspams written in Russian. Malspams are directed to email addresses ending with .ru in the cyber attack campaign. The attachments in these emails contain the trojan in archived executable files disguised as a fake PDF file.

Palo Alto Network's report states that thousands of malspam campaigns were active between September and December. "The content of these emails and data from our AutoFocus threat intelligence platform confirms this campaign is primarily targeting Russian recipients. We found 3,845 email sessions in AutoFocus with attachments tagged as Redaman banking malware from September through December 2018." mentions the post.

Furthermore, the archived file formats in the attachments were changed often. While in September it only had a zip format, but as time passed it used many formats such as .7z, .rar and .gz. In December, Redaman was mostly archived in .gz files. On top of this, subject lines, message text, and attachment names in the emails were changed often to lure users into clicking.

Ryan Olson, VP of Threat Intelligence Unit 42, Palo Alto Networks told ThreatPost that Redaman was quickly evolving its tactics and is targeting only Russians. With more than 100 different types of Redaman spreading, the activity is expected to continue in 2019.

Cyware Publisher