A typical target for banking Trojans is the remote banking system. RTM is not an exception, as one of its classes is called TBdo. Bdo is the Russian translation for RBS (Remote Banking System) so it is clear that RBS is a target for this malware.
This class can perform several tasks including the scanning of drives and browsing history. When the malware scans the drive, its sole aim is to determine whether banking software is installed on the machine. If it finds an interesting file, it reports the information to the C&C server. The next actions performed by the malware depend on the logic, which is on the C&C server-side.
The RTM malware also looks for banking URL patterns in IE’s browsing history and the opened tabs. For the history, it browses using the functions FindNextUrlCacheEntryA and FindFirstUrlCacheEntryA and for each entry, it checks to see if the URL matches one of the patterns.
For opened tabs, it connects to Internet Explorer and Firefox through the Dynamic Data Exchange (DDE) mechanism to access the current URL of tabs opened. For each tab, it also checks if that matches a pattern. The browsing history and the opened tabs check is executed in a WHILE loop with a sleep of 1 second between the checks. The other data monitored in real-time will be detailed.
Kaspersky Lab researchers have detected a surge in activity by the RTM Banking Trojan: with the overall number of users attacked in 2018 exceeding 130,000 – an increase from as few as 2376 attacked users in 2017.
The pace of attacks appears to be continuing into 2019, with more than 30,000 users attacked during the first month and a half of the year, making RTM one of the most active banking Trojans on the threat landscape.
Banking Trojans are among the most damaging cyber threats as they are designed to gain access to the financial accounts and assets of their victims, primarily by stealing login credentials and hijacking online banking sessions. The RTM Trojan substitutes account details while an infected victim attempts to make a payment or transfer funds, or manually steals money using remote access tools.
The malware targets people responsible for financial accounting in small and medium-sized businesses, with a particular focus on the IT and legal sectors. This makes RTM attacks part of a general trend where cybercriminals are losing interest in financial organizations, and instead focusing on a private sector where entities, in general, invest less in security solutions. So far, the Trojan has hit mostly companies based in Russia.
The RTM Trojan is being distributed through email phishing, using messages disguised as routine finance and accounting correspondence and containing a malicious link or attachment. Once the malware is installed on the victim’s computer, it provides the attackers will full control over the infected system.
The core of the RTM malware is a DLL but it is dropped onto the disk by a.EXE. That executable file is generally packed and contains the DLL code. When it is launched it only extracts the DLL and runs it using the following command: rundll32.exe “%PROGRAMDATA%\Winlogon\winlogon.lnk”, DllGetClassObject host
Kaspersky Lab estimates that during the course of two years, the attackers may have conducted multiple illegal transactions, up to a million rubles (the equivalent of $15,104) each.
“By now, we’ve seen cases where successful cyber threats were first used in Russia and later went international. RTM banking Trojan can easily become yet another example of the same development cycle. That is why we urge organizations that can become potential targets of this malware to take preventative measures and make sure their security products detect and block this threat,” said Sergey Golovanov, a security researcher at Kaspersky Lab.
To protect your business from financial malware, including the RTM Trojan, Kaspersky Lab security specialists advise:
- Training your employees, particularly those who are responsible for accounting, to pay special attention to phishing attacks
- Installing the latest patches for all of the software you use
- Forbidding the installation of programs from unknown sources
- Using a robust security solution for businesses with behavioral analysis, such as Kaspersky Endpoint Security for Business.