Financial institutions in Russia targeted using new version of RTM Bot in recent phishing campaign

• The Read The Manual (RTM) Bot is created by a cyber group known by the same name.
• The information stolen by the banking trojan includes system details such as username, machine name, OS version, anti-virus installed, default language and time zone.

A new surgical phishing campaign that targets financial institutions in Russia and other neighboring countries, has been discovered recently. Cybercriminals are leveraging a malware named ‘Read the Manual’ (RTM) Bot to deliver a banking trojan.

What’s the matter - Cofense Intelligence, who analyzed the phishing campaign, revealed that “the Read The Manual (RTM) Bot is created by a cyber group known by the same name.” The RTM group is targeting the financial institutions within different industry sectors.

Capabilities of RTM Bot - The new version of the modular banking trojan RTM Bot, thus delivered, is believed to have many unique features.

It can steal data from accounting software and harvest smart card information. It also uses The Onion Router (TOR) communication protocol to communicate the attackers. The campaign is executed via phishing emails - which use the ‘Monthly Payment’ scheme to lure the users.

“RTM Bot targets accounting software while initially scanning the drive of the endpoint. The scan looks for any items related to the Russian remote banking system and relays the information found to the C2 for further instructions. RTM Bot scours the web browser history, and can access currently opened tabs, looking for any banking URL patterns. After the initial scan, the banking trojan then gathers information, effectively fingerprinting the machine,” Cofense researchers explained.

Type of information stolen - Once the RTM Bot gets hold of the information, it stores it in the memory buffer until the data is sent to the C2 server. The information stolen by the banking trojan includes system details such as username, machine name, OS version, anti-virus installed, default language and time zone.

“Before attempting to exfiltrate the gathered information, the banking trojan will look up the host’s external IP address and add the value to its collection. It uses a GET request to the website hxxp://myip[.]ru/index_small[.]php to gather the external IP of the infected machine,” Cofense researchers added.

The previous version of the RTM Bot used Blockchain Domain Name Service (BDNS) for its C2 infrastructure.