{ "id": "3780c5c9-8e5e-478f-8fb0-bfa07df101e5", "created_at": "2026-04-06T00:06:24.514744Z", "updated_at": "2026-04-10T03:20:59.243391Z", "deleted_at": null, "sha1_hash": "3cf72b20cf84d2ebd1db0f6589800b483e80e1ca", "title": "What do Win32/Redyms and TDL4 have in common?", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 116232, "plain_text": "What do Win32/Redyms and TDL4 have in common?\r\nBy Aleksandr Matrosov\r\nArchived: 2026-04-05 18:15:48 UTC\r\nMalware\r\nAt the beginning of January 2013, we started tracking the interesting Win32/Redyms trojan family. Redyms is\r\nnotable for changing search results from popular search engines on infected machines.\r\n04 Feb 2013  •  , 2 min. read\r\nAt the beginning of January 2013, we started tracking the interesting Win32/Redyms trojan family. Redyms is\r\nnotable for changing search results from popular search engines on infected machines. This Trojan family is\r\nmostly spreading in the United States and Canada. It is in these regions that the cybercrime market pays the\r\nhighest prices for redirection from popular search engines results to malicious ads/links. I’ve already published\r\ninformation about PPI (Pay-Per-Install) programs which distribute malware for BlackHat SEO (Cycbot: Ready to\r\nRide).\r\nDeeper analysis shows that Win32/Redyms has similar code functions and work activity to Win32/Agent.TJO\r\n(also known as part of the Olmarik/TDL4 family). Win32/Agent.TJO is a user-mode Trojan program, but based on\r\nclicker component functionality found in the TDL4 family (The Evolution of TDL: Conquering x64). TDL4,\r\nWin32/Agent.TJO and Win32/Redyms use similar techniques for network traffic manipulation in the active\r\ninternet browser. So as to intercept and alter the data exchanged over the network the bot hooks several functions\r\nfrom Microsoft Windows Socket Provider (mswsock.dll):\r\nAll three malware families use the same hooking technique and a communication protocol encrypted by RC4\r\nstream cipher. The communication routine call graph in Win32/Redyms looks like this:\r\nhttps://www.welivesecurity.com/2013/02/04/what-do-win32redyms-and-tdl4-have-in-common/\r\nPage 1 of 6\n\nThe next interesting finding in Win32/Redyms is the DGA (Domain Generation Algorithm) used to generate C\u0026C\r\ndomain names. This DGA is based on simple alphabetical permutations and changes according to the init state\r\nconstant. Reconstructed algorithms in python and decompiled assembly code are shown in the following figures:\r\n[python code]\r\nhttps://www.welivesecurity.com/2013/02/04/what-do-win32redyms-and-tdl4-have-in-common/\r\nPage 2 of 6\n\n[decompiled assembly code]\r\nThe list of C\u0026C domain names generated looks like this:\r\nhttps://www.welivesecurity.com/2013/02/04/what-do-win32redyms-and-tdl4-have-in-common/\r\nPage 3 of 6\n\nThe first domain names from the list were registered in the middle of December 2012 or at the beginning of\r\nJanuary 2013. This indicates indirectly that Win32/Redyms was being distributed at the end of December.\r\nWin32/Redyms injects malicious code into all active processes on the infected machine. If activity from the most\r\npopular browsers was detected, a malicious thread was injected into the browser process and functions from\r\nmswsock.dll were hooked.\r\nhttps://www.welivesecurity.com/2013/02/04/what-do-win32redyms-and-tdl4-have-in-common/\r\nPage 4 of 6\n\nThe injected code intercepts network activity from the browser process and looks up search engines from the\r\nfollowing list:\r\nIf search engine activity is detected, all search requests are redirected to the C\u0026C and the URLs shown in the\r\nsearch results will be changed in accordance with the list received from the C\u0026C. The URL checking engine is\r\nbased on hooking the WSPSend() routine, which uses Adelson-Velsky/Landis (AVL) trees as data structure in\r\norder to manage the data. For operating with the AVL trees data structure the malware utilizes the structure\r\nRTL_GENERIC_TABLE from kernel32.dll. TDL4 uses the same ideas in the user-mode component cmd.dll.\r\nAleksandr Matrosov, Security Intelligence Team Lead\r\nSHA1 hashes for analyzed samples:\r\nWin32/Redyms.AB: 07e73ac58bee7bdc26d289bb2697d2588a6b7e64\r\nWin32/Agent.TJO: 3777c3e98e5be549a7c73f6841c759a9f8a098c3\r\nLet us keep you\r\nup to date\r\nSign up for our newsletters\r\nhttps://www.welivesecurity.com/2013/02/04/what-do-win32redyms-and-tdl4-have-in-common/\r\nPage 5 of 6\n\nSource: https://www.welivesecurity.com/2013/02/04/what-do-win32redyms-and-tdl4-have-in-common/\r\nhttps://www.welivesecurity.com/2013/02/04/what-do-win32redyms-and-tdl4-have-in-common/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.welivesecurity.com/2013/02/04/what-do-win32redyms-and-tdl4-have-in-common/" ], "report_names": [ "what-do-win32redyms-and-tdl4-have-in-common" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433984, "ts_updated_at": 1775791259, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3cf72b20cf84d2ebd1db0f6589800b483e80e1ca.pdf", "text": "https://archive.orkl.eu/3cf72b20cf84d2ebd1db0f6589800b483e80e1ca.txt", "img": "https://archive.orkl.eu/3cf72b20cf84d2ebd1db0f6589800b483e80e1ca.jpg" } }