Sunday, April 27, 2025
Follow us On Linkedin
HomeComputer SecurityHackers Delivering Redaman Banking Malware Disguising as a PDF Document

Hackers Delivering Redaman Banking Malware Disguising as a PDF Document

Computer SecurityCyber Security News

Published on

By Gurubaran
Hackers Delivering Redaman Banking Malware Disguising as a PDF Document

Supply Chain Attack Prevention

SIEM as a Service

Follow Us on Google News

A new malspam campaign delivering Redaman Banking Malware disguising as an PDF document. The Redman malware was first detected in the year 2015 and it targets customers of financial institutions in Russia.

Palo Alto Networks observed mass-distribution campaigns of Redaman in the Russian language for the last four month. The campaign primarily focuses Russian email recipients ending in ru. The file attachments are a windows executable disguised as PDF files.

The attachments are zip, 7-zip, gz and rar archives, the emails contain subject lines, message text, and attachments. Attackers use to change the attachment names constantly and referred to financial issues.

- Advertisement - Google News
Redaman Banking Malware

Researchers found 3,845 email sessions attached with Redaman banking malware and the major senders are from Russia (3,456), Belarus (98), Ukraine (93), Estonia (29) and Germany (30).

Redaman Banking Malware

Once the Redaman Banking Malware executed it checks for the certain files or directories (cuckoo, fake_drive, Perl, strawberry, targets.xls, tsl, wget.exe, python ), if they dosen’t exists by throwing an exception, this beviour is to check it is running in sandbox or analysis environment.

If no exception occurs the executable drops a DLL in the temp directory and assigns a random file name under C:\ProgramData directory. It creates a scheduled task to make it persistent and executed everytime when users logged in.

Following are the Redaman Banking Malware Capabilities

  • Downloading files to the infected host
  • Keylogging activity
  • Capture screen shots and record video of the Windows desktop
  • Collecting and exfiltrating financial data, specifically targeting Russian banks
  • Smart card monitoring
  • Shutting down the infected host
  • Altering DNS configuration through the Windows host file
  • Retrieving clipboard data
  • Terminating running processes
  • Adding certificates to the Windows store

Once the infection completed the traffic will be sent to command and control (C2) sever and a small amount of traffic return form C2 server to the infected DLL client.

“We found over 100 examples of malspam during the last four months of 2018, and this blog provides a closer look at Redaman during that timeframe.”

Related Read

Android Released First Security updates for 2019 & Fixed 13 vulnerabilities – Update Your Phone Now

Spyware From Google Play as a Legitimate Android Apps That Infected 196 Country Users

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

CISO

How To Use Digital Forensics To Strengthen Your Organization’s Cybersecurity Posture

Digital forensics has become a cornerstone of modern cybersecurity strategies, moving beyond its traditional...
CISO

Building A Strong Compliance Framework: A CISO’s Guide To Meeting Regulatory Requirements

In the current digital landscape, Chief Information Security Officers (CISOs) are under mounting pressure...
AI

Two Systemic Jailbreaks Uncovered, Exposing Widespread Vulnerabilities in Generative AI Models

Two significant security vulnerabilities in generative AI systems have been discovered, allowing attackers to...
AI

New AI-Generated ‘TikDocs’ Exploits Trust in the Medical Profession to Drive Sales

AI-generated medical scams across TikTok and Instagram, where deepfake avatars pose as healthcare professionals...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

Register Now

More like this

CISO

How To Use Digital Forensics To Strengthen Your Organization’s Cybersecurity Posture

Digital forensics has become a cornerstone of modern cybersecurity strategies, moving beyond its traditional...
CISO

Building A Strong Compliance Framework: A CISO’s Guide To Meeting Regulatory Requirements

In the current digital landscape, Chief Information Security Officers (CISOs) are under mounting pressure...
AI

Two Systemic Jailbreaks Uncovered, Exposing Widespread Vulnerabilities in Generative AI Models

Two significant security vulnerabilities in generative AI systems have been discovered, allowing attackers to...

GBHackers on Security is a top cybersecurity news platform, delivering up-to-date coverage on breaches, emerging threats, malware, vulnerabilities, and global cyber incidents.

Company

Trending

Categories

Copyright @ 2016 - 2025 GBHackers On Security - All Rights Reserved