Home Malware Programs Trojans Redaman Banking Trojan

Redaman Banking Trojan

Posted: January 25, 2019

The Redaman Banking Trojan is a banking Trojan or specialized spyware that compromises finance-related credentials such as your bank account. This threat's attacks also encompass broadly-applicable attacks that compromise your PC's security and grant widespread surveillance and access to it to a remote attacker. Victims always should terminate all network connections and delete the Redaman Banking Trojan with a modern anti-malware program immediately as soon as they suspect an infection.

Old Russian Trojans Keeping Themselves Current

The Redaman Banking Trojan family is one that's been active for multiple years, but a resurgence of its attacks make it, once again, worthy of note to any vulnerable PC users. The campaigns are retaining a preference for Russia-based victims and infrastructure, although malware analysts also note a handful of attacks elsewhere, including the United States, Japan and various European countries. As in most cases, the users are at fault for the security breach allowing the Redaman Banking Trojan to access their PCs and financial data.

Although the precise text varies between attacks, the infection vectors, consistently, are financially-themed e-mail messages asking that the recipients open the enclosed attachments. Diverse archive formats conceal the file, possibly as an anti-detection measure, ranging from RARs to ZIPs. This file, while pretending that it's a PDF document, is, in reality, the Redaman Banking Trojan's executable.

The Redaman Banking Trojan deletes this executable during the installation cleanup phase but leaves behind a Windows task that launches the program automatically. Some of the different capabilities that malware analysts confirm as still being present in a full-blown the Redaman Banking Trojan infection include:

  • Sandbox avoidance prevents the Redaman Banking Trojan from running inside of a virtual environment by checking for telltale directories with specific strings (such as 'fake_drive').
  • The Redaman Banking Trojan hooks into multiple Web browsers, including the Internet Explorer, Firefox, and Chrome, and may monitor the users' Web-browsing activity or redirect them to scheme sites that capture information, like fake bank portals.
  • The Redaman Banking Trojan records the user's keyboard input, which it can use for collecting passwords, etc.
  • The Redaman Banking Trojan has two ways of capturing purely visual data: taking static shots of the screen or recording videos.
  • The Redaman Banking Trojan also downloads other files and may execute them to exacerbate the security crisis by installing other threats with different features.
  • The Redaman Banking Trojan also can close other programs at will by terminating their processes automatically.

Bringing Cyber-Safety Back to Russia

The Redaman Banking Trojan gives its admins various degrees of control over the user's Web-browsing experience, data, system settings and installed software, with few symptoms. Suspicious users should look for a randomly-named folder in their Program Files directory that contains the Redaman Banking Trojan's components, along with the Windows task that it sets. Fortunately, no recent attacks arriving through exploits other than corrupted spam e-mails are occurring according to malware analysts' data.

Most security products should identify the compromised attachments that are the mainstay of recent Redaman Banking Trojan infections. The users also should remain aware of the formats of these tactics, which entice the victims into clicking files by providing alarming but vague information regarding invoices and bills. Besides having anti-malware tools uninstall the Redaman Banking Trojan, disinfection procedures should include changing passwords and related credentials that are, almost certainly, in a threat actor's possession.

As advanced as the Redaman Banking Trojan's capabilities are, up to and including managing Windows certificates, it needs a victim to fall for its opening gambit. The act of opening an e-mail without checking its legitimacy is one of the easiest ways that criminals turn the public's brashness into money.

Loading...