The Redaman banking trojan ramped up its activity in the last part of 2018, employing ongoing back-end changes in order to evade detection, according to a new Wednesday report.
Redaman as a malware first came on the scene in 2015, and since then has consistently targeted victims that use Russian financial institutions. But from September through December 2018, researchers at Palo Alto Networks’ Unit 42 division saw increasing numbers of mass spam messages delivering the trojan.
The emails targeted Russian email recipients, often with email addresses ending in .ru, and delivered their payloads via a rotating assortment of archived Windows executable files disguised as PDF documents, according to the firm’s analysis.
Most notably, the format for these archives changed on a monthly basis: In September 2018, the attachments were zip archives. In October 2018, the attachments were zip archives, 7-zip archives, and rar archives. In November 2018, the attachments were rar archives. And in December 2018, the attachments changed to gzip archives with file names ending in .gz.
“We found the evolution of the delivery of the attacks over time interesting,” Ryan Olson, vice president of threat intelligence for Unit 42, told Threatpost. “This attacker changed the archive formats each month at the end of 2018, presumably to evade detection software as it caught on.”
That’s not the only thing to change over the course of the attacks: Subject lines, message text and attachment names also constantly changed – although all of the messages shared a common theme of alleged financial issues that recipients were told they needed to solve. In all, there were hundreds of different lures, such as “Act of reconciliation September-October,” “Debt due Wednesday,” “Documents Verification for October 2018” and “The package of documents for payment 1st October.”
Most of the mail servers associated with the campaign attackers were located in Russia, with a handful of others located in Eastern European locations, as well as Germany, the Netherlands, Switzerland, the U.K. and the U.S.
The targets were similarly clustered in Russia, though some victims were seen in Western Europe, Japan and the U.S.
Redaman in most other aspects is a typical banking trojan; it checks to see if it is running in a sandbox or similar type of analysis environment, and if satisfied that it is not, it drops a persistent library file in the Windows program data directory. From there it monitors Chrome, Firefox and Internet Explorer browser activity and searches the local host for information related to the financial sector.
It also has a full cadre of misdeeds at its disposal, including downloading additional files (including a variant of the Pony info-stealer), keylogging activity, taking screen shots and recording video, collecting and exfiltrating financial data regarding Russian banks, smart-card monitoring, nabbing clipboard data and shutting down the infected machine, among other things.
Olson told Threatpost that Redaman stands out because of its rapidly evolving tactics as well as the fact that it “appears to be used primarily to target Russians, which is somewhat out of the ordinary.” In all, Unit 42 saw more than 100 different types of Redaman-laden spam during the last four months of 2018, sent to thousands of recipients; researchers said they expect the activity to continue into 2019.