The RTM banking trojan is back with an arsenal of tricks. A new ransomware family—Quoter—has joined the party too. 

What’s going on?

The new money-making campaign packs a triple threat attack and has hit at least 10 Russian finance and transport organizations. The trojan is being propagated via phishing emails, messages impersonating routine finance and accounting correspondence. Quoter comes as the Plan B and has been named so as the code embeds popular quotes.

Why does it matter?

  • It is unusual for Russian-speaking threat actors to target Russian organizations.
  • It is remarkable that the group has resorted to not-so-conventional tools of making money - doxxing and extortion

A brief history of RTM trojan

  • Active since 2015, RTM uses malware written in Delphi. This campaign started in December 2020 and is ongoing.
  • The primary method of infection is phishing emails. The topics are chosen in a way that prompts the recipients into opening the message. The topics include requests for refund, subpoenas, or closing documents, among others. 
  • Between September and December 2018, 11,000 malicious emails were sent to financial institutions from addresses impersonating government agencies.

How to stay safe?

  • Train employees to identify malspam, especially in the accounting department.
  • Install latest security patches. 
  • Do not install software from unknown sources. 

The bottom line

It is undeniable that ransomware attacks have gotten crueler and more corporate. Ransomware variants these days are being designed to beat big targets and make millions. There’s no reason to believe that the ransomware problem will go away any time soon. Hence, it is essential that security holes are taken notice of and patched.

Cyware Publisher