Threat Database Trojans Redaman Banking Trojan

Redaman Banking Trojan

By GoldSparrow in Trojans

The Redaman Banking Trojan is a banking Trojan that carries out a typical version of these attacks, typically used to collect the victims' online banking information and gain unauthorized access to their bank accounts. The Redaman Banking Trojan attacks were observed as recently as 2018, carried out on Asian targets. The Redaman Banking Trojan was first released in 2017 and has been linked to large-scale spam email campaigns targeting certain banks specifically. The Redaman Banking Trojan gained notoriety after a phishing attack on government workers in the Russian Federation where a massive spam email campaign was used to trick these computer users into installing the Redaman Banking Trojan onto their computers.

How the Redaman Banking Trojan Attacks a Machine

There are many ways in which malware can be delivered to the victims by spam email messages. The Redaman Banking Trojan is typically delivered using archive files that include the Redaman Banking Trojan executable file disguised as a PDF file. The archive files used to deliver the Redaman Banking Trojan have various formats, including ZIP, RAR, 7ZIP and GZIP files. Although the Redaman Banking Trojan attack itself is standard, the spam email campaign used to deliver the Redaman Banking Trojan is quite sophisticated. Malware analysts have observed hundreds of different subject lines and domains used as part of the campaigns linked to the Redaman Banking Trojan. Examples of the subject lines used to deliver the Redaman Banking Trojan include the following:

'Act of reconciliation September-October
Debt due Wednesday
Documents Verification for October 2018
The package of documents for payment 1st October'

This content kind, combined with phishing techniques, can be used to trick computer users into opening the contents of a password protected archive if they believe particularly that it contains sensitive information that would be protected naturally.

How the Redaman Banking Trojan Carries Out Its Attack

If the computer users open the bogus PDF file contained in these file archives, a script that changes the Window's settings to allow the Redaman Banking Trojan to be downloaded and installed will run. During the installation process, the Redaman Banking Trojan will check to ensure that it is not being installed in a virtual system or debugging environment, to prevent PC security researchers from studying its code. If the Redaman Banking Trojan determines that it is being installed on a victim's computer, the Redaman Banking Trojan will install components on the Web browsers from the affected computer. These components will search the victim's online activity and history for information related to online banking. Some of the features associated with the Redaman Banking Trojan attack include keeping track of the keystrokes on the affected computer's keyboard, taking pictures of the victim's screen, creating videos of the affected victim's activity, monitoring for credit card transactions and monitoring the infected computer's clipboard. These are all standard tactics used by most banking Trojans to collect the victims' online banking information.

Protecting Yourself from Threats Like the Redaman Banking Trojan

The majority of the Redaman Banking Trojan targets have been located in Russia, although some victims of the attack have started to surface in other countries. One curious aspect of the Redaman Banking Trojan is that its primary targets are located in Russia when many of these threats go out of their way to ensure that Russians are not affected by the attack. Due to the high volume of spam email associated with the Redaman Banking Trojan, PC security researchers expect activities associated with the Redaman Banking Trojan to continue in 2019. This is why PC users are advised to be especially cautious when handling email messages with unknown file attachments, especially those that aren't easily visible such as archive files. Furthermore, unsolicited or unexpected email messages containing file attachments or embedded links should be treated with caution, and computer users should confirm their origins and contents before attempting to open any attached content. A security program also should be used at all times.


Most Viewed