You must Register or Sign in to your Cyware account to perform this action
×Once you are logged in, you will be able to:
Customize your feeds by selecting categories you like
Comment on or Like an article
Receive the latest security stories, trends, and insights in your inbox
Build your profile and login across multiple devices
Bookmark a story and read it later
- Home
- Hacker News
- Malware and Vulnerabilities
- Financial institutions in Russia targeted using new version of RTM Bot in recent phishing campaign

Financial institutions in Russia targeted using new version of RTM Bot in recent phishing campaign
Financial institutions in Russia targeted using new version of RTM Bot in recent phishing campaign- March 13, 2019
- |
- Malware and Vulnerabilities
/https://cystory-images.s3.amazonaws.com/shutterstock_285058184.jpg)
- The Read The Manual (RTM) Bot is created by a cyber group known by the same name.
- The information stolen by the banking trojan includes system details such as username, machine name, OS version, anti-virus installed, default language and time zone.
A new surgical phishing campaign that targets financial institutions in Russia and other neighboring countries, has been discovered recently. Cybercriminals are leveraging a malware named ‘Read the Manual’ (RTM) Bot to deliver a banking trojan.
What’s the matter - Cofense Intelligence, who analyzed the phishing campaign, revealed that “the Read The Manual (RTM) Bot is created by a cyber group known by the same name.” The RTM group is targeting the financial institutions within different industry sectors.
Capabilities of RTM Bot - The new version of the modular banking trojan RTM Bot, thus delivered, is believed to have many unique features.
It can steal data from accounting software and harvest smart card information. It also uses The Onion Router (TOR) communication protocol to communicate the attackers. The campaign is executed via phishing emails - which use the ‘Monthly Payment’ scheme to lure the users.
“RTM Bot targets accounting software while initially scanning the drive of the endpoint. The scan looks for any items related to the Russian remote banking system and relays the information found to the C2 for further instructions. RTM Bot scours the web browser history, and can access currently opened tabs, looking for any banking URL patterns. After the initial scan, the banking trojan then gathers information, effectively fingerprinting the machine,” Cofense researchers explained.
Type of information stolen - Once the RTM Bot gets hold of the information, it stores it in the memory buffer until the data is sent to the C2 server. The information stolen by the banking trojan includes system details such as username, machine name, OS version, anti-virus installed, default language and time zone.
“Before attempting to exfiltrate the gathered information, the banking trojan will look up the host’s external IP address and add the value to its collection. It uses a GET request to the website hxxp://myip[.]ru/index_small[.]php to gather the external IP of the infected machine,” Cofense researchers added.
The previous version of the RTM Bot used Blockchain Domain Name Service (BDNS) for its C2 infrastructure.
- + Aware
Get such articles in your inbox
News
-
Previous News Attackers use new CapturaTela info-stealing malware to launch ‘Operation Comando’ campaign
- March 13, 2019
- |
- Malware and Vulnerabilities
-
Next News Microsoft goes "Patch! Patch! Patch!": Patch Tuesday - Week 2, March 2019
- March 13, 2019
- |
- Computer, Internet Security
Popular News
Related News
Categories
Get such articles in your inbox
News
-
Previous News Attackers use new CapturaTela info-stealing malware to launch ‘Operation Comando’ campaign
- March 13, 2019
- |
- Malware and Vulnerabilities
-
Next News Microsoft goes "Patch! Patch! Patch!": Patch Tuesday - Week 2, March 2019
- March 13, 2019
- |
- Computer, Internet Security
Popular News
Related News
Categories
