A typical goal for banking Trojans is the remote banking system. RTM isn’t an exception, as one in all its instructions is known as TBdo. Bdo is the Russian translation for RBS (Remote Banking System) so it’s far clean that RBS is a goal for this malware.

This class can carry out numerous tasks which include the scanning of drives and browsing records. When the malware scans the drive, its sole intention is to decide whether or not banking software is hooked up on the machine. If it finds an interesting report, it reports the records to the C&C server. The subsequent actions carried out by the malware depend on the logic, that’s on the C&C server-side.

The RTM malware also appears for banking URL styles in IE’s browsing history and the opened tabs. For the records, it browses the use of the capabilities FindNextUrlCacheEntryA and FindFirstUrlCacheEntryA and for each entry, it checks to see if the URL suits one of the styles.

For opened tabs, it connects to Internet Explorer and Firefox through the Dynamic Data Exchange (DDE) mechanism to get admission to the present-day URL of tabs opened. For every tab, it also assesses if that matches a pattern. The browsing records and the opened tabs test is completed in a WHILE loop with a sleep of 1 2d among the exams. The other information monitored in real-time can be detailed.

Kaspersky Lab researchers have detected a surge in pastime by using the RTM Banking Trojan: with the overall number of customers attacked in 2018 exceeding 130,000 – a growth from as few as 2376 attacked customers in 2017.


The tempo of attacks seems to be persevering with into 2019, with extra than 30,000 users attacked in the course of the first month and a 1/2 of the year, making RTM one of the most lively banking Trojans on the danger landscape.

Banking Trojans are among the maximum detrimental cyber threats as they may be designed to gain access to the economic money owed and property in their victims, often by stealing login credentials and hijacking online banking sessions. The RTM Trojan substitutes account details whilst an infected sufferer tries to make a payment or switch funds or manually steals money the use of far-flung access tools.

The malware targets people liable for financial accounting in small and medium-sized businesses, with a selected focus on the IT and criminal sectors. This makes RTM attacks a part of a fashionable fashion where cybercriminals are losing hobby in monetary corporations, and alternatively specializing in a private sector where entities, in trendy, invest less in safety solutions. So far, the Trojan has hit mostly agencies based in Russia.

The RTM Trojan is being disbursed through e-mail phishing, the use of messages disguised as recurring finance and accounting correspondence and containing a malicious hyperlink or attachment. Once the malware is hooked up on the sufferer’s computer, it offers the attackers will full manipulate over the infected system.

The core of the RTM malware is a DLL but it’s far dropped onto the disk by using a.EXE. That executable report is usually packed and carries the DLL code. When it’s miles launched it only extracts the DLL and runs it the usage of the subsequent command: rundll32.Exe “%PROGRAMDATA%Winlogon Winlogon.Lnk”, DllGetClassObject host

READ  Introduction to Security Cyberspace, Cybercrime, and Cybersecurity

Kaspersky Lab estimates that in the course of two years, the attackers may additionally have carried out multiple illegal transactions, up to a million rubles (the equal of $15,104) each.

By now, we’ve seen instances where successful cyber threats were initially utilized in Russia and later went international. RTM banking Trojan can merely become but another example of the equal development cycle. that is why we have a bent to urge businesses which can emerge as capability targets of this malware to want preventative measures and certify their protection merchandise discover and block this chance,” same Sergey Golovanov, a protection man of science at Kaspersky lab.

To protect your commercial enterprise from economic malware, along with the RTM Trojan, Kaspersky Lab safety professionals advise:

Training your employees, particularly folks who are liable for accounting, to pay special interest to phishing attacks

Installing the trendy patches for all the software program you use

Forbidding the installation of programs from unknown sources

Using a strong security solution for organizations with behavioral analysis, along with Kaspersky Endpoint Security for Business.