The Redaman Trojan is a dangerous weapon used against computer users worldwide. It infects mainly via infected software installers. Our article gives an overview of its behavior according to the collected samples and available reports, also it may be helpful in attempting to remove the virus.
|Short Description||The Redaman Trojan is a computer virus that is designed to silently infiltrate computer systems.|
|Symptoms||The victims may not experience any apparent symptoms of infection.|
|Distribution Method||Software Vulnerabilities, Freeware Installations, Bundled Packages, Scripts and others.|
|Detection Tool|| See If Your System Has Been Affected by Redaman Trojan |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss Redaman Trojan.|
Redaman Trojan – Distribution Methods
The Redaman Trojan is a newly discovered malware which is currently being distributed by an unknown hacker collective. The ongoing campaign uses a familiar tactic of sending out archived files that once interacted with will lead to the infection.
There are many ways that such files can be delivered to the target victims, here are the most common ones:
- Email Phishing Messages — The bulk of the related Trojans are sent via email SPAM campaigns that attempt to confuse the recipients into thinking that they have received a legitimate notification from a well-known service, product or company. They are modeled after the real messages and may include the same design elements and text contents. The associated Redaman Trojan files can be linked in the body contents or directly attached to the messages.
- Malicious Web Sites — The Redaman Trojan files can be uploaded to hacker-controlled web sites. They may be modeled after legitimate and well-known pages that computer users often search for — download portals, search engines, product landing pages and etc. Most of them are hosted on similar sounding domain names so that they can be visited by users that have misspelled the real one. Hacker-made or stolen security certificates can also be added to make them appear as safe sites.
- Malicious Documents — The archives can be linked in documents by inserting the relevant download and execution macros embedded in by the criminals. This strategy can be employed with all of the popular document types: text documents, spreadsheets, presentations and databases. Whenever they are opened by the users a prompt will appear asking them to enable the scripts in order to “correctly view” the files. This will trigger the Redaman Trojan.
- Dangerous Application Installers — The other method frequently employed by computer criminals is their ongoing creation of malicious application installer bundles. They are made by taking the legitimate files from their official download locations and modify them accordingly with the virus installation code. Usually popular software that are frequently downloaded by end users are targeted.
- Peer-to-Peer Networks — File-sharing networks such as BitTorrent are popular with users that spread both pirate and legitimate content.
- Malicious Web Browser Extensions — The hacker collective can create extensions for the most popular web browsers that lead to the Redaman Trojan infection. They are frequently uploaded to the relevant repositories using fake user reviews and developer credentials. The uploaded descriptions will promise the addition of new features and web browser optimization. However upon installation the default configuration settings will be replaced which will redirect the victims to a hacker-controlled page — this is the most common behavior. Alongside this the virus infection will follow.
Other methods can be employed in future versions as well.
Redaman Trojan – Detailed Description
The Redaman Trojan at the moment does not appear to contain any code snippets from previous malware. There is no information about the identity of the hackers, this sets out two highly possible hypotheses about its creation. The first one is that they are behind the development of the virus. The second one is that it is a custom order made on the dark underground markets. Once the samples are ready as per the hacker’s wishes the threat can be distributed via the attack campaigns.
At the moment the captured samples have been confirmed to establish a secure connection to a hacker-controlled server thus allowing the Redaman Trojan controllers to take over control of the machines, steal user data and spy on the victims in real-time.
We anticipate that the future versions of this malware will include expanded functionality as seen on other similar threats. They will usually begin with a data harvesting component. Most of the Trojans will do this in order to generate an unique ID that is assigned to each compromised computer. This is done by running an algorithm that takes its input parameters from strings like the parts list of the available hardware components, user settings and operating system environment values. Additionally some of the advanced Trojans use this engine in order to expose the identities of the victim users by searching for strings like their name, address, phone number, interests and stored account credentials (combinations of user names, email addresses and passwords). By interacting with the Windows Volume Manager the Redaman Trojan can access removable storage devices and network shares as well.
The harvested information about the system can be used by another module which can bypass installed security software. This is done by searching for engines of anti-virus products, firewalls, virtual machine hosts and intrusion detection systems. They can be disabled or completely removed.
When the malicious engine has acquired control of the infected machine it will proceed with changes that can alter all important areas of the operating system. A list of the common malicious actions includes the following:
- Windows Registry Changes — The virus engine can create entries for itself in the Windows Registry as well as modify existing ones. This is very dangerous as modifications to entries that are actively used by the operating system can lead to severe performance and stability problems. When the modifications reflect Registry values that belong to the third-party installed applications this may being forth unexpected errors.
- Boot Options Modifications — The Redaman Trojan can configure itself as a persistent threat which will automatically start once the computer is powered on. It may also disable access to the boot recovery menus which will also make most manual recovery instructions non-working as they depend on access to them.
- Data Removal — The engine can be programmed to identify and remove sensitive data such as System Restore Points, Restore Points and Backups. When this steps has been activated by the Redaman Trojan the victims will need to use a combination of an anti-spyware solution and data recovery software.
The majority of related Trojans are programmed to install other malware threats such as cryptocurrency miners and hijackers once all prior modules have completed running. The reason for this is because the Redaman might have already removed the found security installed and that the payloads can unfold all of their actions without any trouble.
Remove Redaman Trojan
If your computer system got infected with the Redaman Trojan, you should have a bit of experience in removing malware. You should get rid of this Trojan as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the Trojan and follow the step-by-step instructions guide provided below.
Note! Your computer system may be affected by Redaman Trojan and other threats.
Scan Your PC with SpyHunter
SpyHunter is a powerful malware removal tool designed to help users with in-depth system security analysis, detection and removal of Redaman Trojan.