Financial institutions in Russia targeted using new version of RTM Bot in recent phishing campaign

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
A new surgical phishing campaign that targets financial institutions in Russia and other neighboring countries, has been discovered recently. Cybercriminals are leveraging a malware named ‘Read the Manual’ (RTM) Bot to deliver a banking trojan.

What’s the matter - Cofense Intelligence, who analyzed the phishing campaign, revealed that “the Read The Manual (RTM) Bot is created by a cyber group known by the same name.” The RTM group is targeting the financial institutions within different industry sectors.

Capabilities of RTM Bot - The new version of the modular banking trojan RTM Bot, thus delivered, is believed to have many unique features.
It can steal data from accounting software and harvest smart card information. It also uses The Onion Router (TOR) communication protocol to communicate the attackers. The campaign is executed via phishing emails - which use the ‘Monthly Payment’ scheme to lure the users.

“RTM Bot targets accounting software while initially scanning the drive of the endpoint. The scan looks for any items related to the Russian remote banking system and relays the information found to the C2 for further instructions. RTM Bot scours the web browser history, and can access currently opened tabs, looking for any banking URL patterns. After the initial scan, the banking trojan then gathers information, effectively fingerprinting the machine,” Cofense researchers explained.

Type of information stolen - Once the RTM Bot gets hold of the information, it stores it in the memory buffer until the data is sent to the C2 server. The information stolen by the banking trojan includes system details such as username, machine name, OS version, anti-virus installed, default language and time zone.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top