A new malware campaign targeting Russian speakers is using the threats of debt and missing payments to dupe victims into downloading and executing a banking Trojan.
The round of attacks, as described by Palo Alto Network's Unit 42 security team, was tracked over the last four months of 2018.
The attack vector is broad and involves the mass distribution of spam and phishing emails rather than selected, targeted attacks. The emails sent, however, use a number of subject lines which could induce panic or fear in unsuspecting would-be victims -- the threat of debtors or payments owed, a situation many of us are familiar with.
These subject lines include "Debt due Wednesday," "Payment Verification," and "The package of documents for payment 1st October," among other financial subjects.
The subject headers constantly change, but the researchers say they "all have a common theme: they refer to a document or file for an alleged financial issue the recipient needs to resolve."
"These messages are often vague, and they contain few details on the alleged financial issue," Unit 42 added. "Their only goal is to trick the recipient into opening the attached archive and double-clicking the executable contained within."
The focus of the campaign is to spread a banking Trojan known as Redaman. First discovered in 2015, this malware was first known as the RTM banking Trojan (.PDF).
Upon execution, the executable file containing the Trojan will first launch a scan to ascertain whether or not the program is running in a sandbox environment, commonly used by security researchers to unpack malware samples. If the malware uncovers files or directories on a Windows machine which suggests virtualization or sandboxing, the executable exits.
If the target machine appears legitimate, the Windows executable will drop a DLL file in the PC's temporary directory, create a randomly-named folder in the ProgramData directory, and shift the DLL to this folder, again, using a random file name.
The Redaman DLL the creates a scheduled Windows task which triggers every time the user logs on to the machine in order to maintain persistence.
The malware uses a hooking system to monitor browsing activity. Chrome, Firefox, and Internet Explorer are of particular interest to Redaman, which will also search the local host for any information related to banking or finance.
Redaman's goal is to steal banking credentials and other data which, once sent to the malware's operators, can be used to compromise accounts and potentially steal the victim's funds or conduct identity theft.
The Trojan is also able to download additional files to an infected host, use keylogging, capture screenshots, record video of a Windows desktop session, alter DNS configurations, steal clipboard data, terminate running processes, and add certificates to the Windows store.
The spam messages used to spread Redaman have file attachments which are Windows executables disguised as .PDF documents, or sent as .zip, 7-zip, .rar, or .gz gzip archives.
Russian recipients are the main focus at present; however, individuals in the US, Netherlands, Sweden, Japan, Khazakstan, Finland, Germany, Austria, and Spain are also being targeted.
Palo Alto expects to see new samples of Redaman appear in the wild over the coming year.