The Russian-speaking RTM menace team is focusing on companies in an ongoing campaign that leverages a perfectly-identified banking trojan, brand new ransomware pressure and extortion strategies.
The Russian-speaking team behind the infamous RTM banking trojan is now packing a trifecta of threats as it turns up the warmth – element of a substantial new revenue-grab campaign. Further than the banking malware it is recognised for, attackers have enlisted a just lately-found ransomware relatives termed Quoter as part of a new double-extortion cyberattack tactic.
The triple-threat attack, which started its “active phase” in December 2020 and is ongoing, has strike at the very least 10 Russian corporations in the transportation and finance sectors by using destructive email messages, in accordance to Kaspersky in a report unveiled this week.
Should really the revenue-thieving tactics of RTM group’s hallmark Trojan-Banker.Win32.RTM payload fall short, the attackers have a backup plan. Plan “B” is deploy a in no way-in advance of-seen ransomware spouse and children, which researchers are contacting Quoter. The identify Quoter is derived from the truth the ransomware code embeds rates from well known motion pictures. Next, if attackers strike a brick wall, they try to extort cash from victims, threatening that they will release breached data stolen from the targets if they really do not pay up.
“What’s amazing about this story is the evolution of the group driving the RTM ransomware,” in accordance to a translation of Kaspersky’s study report. They stated the team has gone far beyond its tried using-and-true solutions of “making money” – through extortion and doxing. They extra, it is uncommon for Russian-speaking cybercriminals to attack organizations in Russia, even though, the ransomware is also applied in focused assaults outside the state.
RTM Email Attack: Downloading RTM Trojan
Kaspersky explained that the initial infection section of the campaign to begin with hit corporations back in mid-2019, when many organizations claimed getting numerous phishing emails with company-themed headings. These integrated subject matter traces that involved such conditions as “Subpoena,” “Request for refund,” “Closing documents” or “Copies of documents for the final month.”
The text of the email was quick and questioned email recipients to open an connected file for a lot more comprehensive info. If the email recipient opened the attachment, Trojan-Banker.Gain32.RTM was put in.
The Trojan-Banker.Earn32.RTM (also recognized as the RTM Trojan) is a well known banking trojan. According to a Kaspersky report in November, Trojan-Banker.Get32.RTM was the fifth most common banking malware household in the third quarter of 2020, getting 7.4 % of the share behind Emotet, Zbot and a lot more.
As in this attack, the malware is normally dispersed via malicious e-mail (using messages disguised as accounting or finance correspondence) and at the time set up supplies attackers with total control about the contaminated programs.
Right after preliminary an infection, attackers used legit distant entry packages, to keep away from detection, for lateral motion within companies’ regional networks. These applications include things like LiteManager, remote regulate and administration software for Windows, Linux and MacOS.
As soon as downloaded, the RTM trojan generally substitutes account information, even though a target attempts to make a payment or transfer money. According to Kaspersky, the RTM trojan can also be utilized by attackers to manually transfer money from victim’s accounts applying distant accessibility equipment.
Really should the banking trojan’s procedures fall short, scientists located that attackers utilised their original foothold on techniques in order to deploy a never-right before-observed ransomware, which they called Ransom.Earn32.Quoter.
The ransomware encrypted the contents of desktops, working with the AES-256 CBC algorithm, and remaining a message demanding a ransom. The code of these encrypted file involved several quotes from well-known films.
Researchers said, “by this time, many months experienced handed because the RTM had been consolidated in the organization’s network.”
Threatpost has achieved out to Kaspersky researchers for further more details on the Quoter ransomware and will update this report if probable.
If victims failed to spend the ensuing ransom desire, attackers have yet a further trick up their sleeves. In this article, the RTM team relied on a ransomware tactic named double extortion. They hold compromised data for ransom and threaten to launch or leak it if the victims don’t pay up.
“If the backup plan did not get the job done for a single rationale or an additional, then just after a few of weeks the attackers switched to blackmail,” said scientists.
Victims receive a message that their knowledge has been stolen a would expense a million bucks (in Bitcoin) to return – or the private information would be posted on the internet for no cost download.
Double extortion is an significantly popular tactic among ransomware actors. The tactic, which very first emerged in late 2019 by Maze operators, has been swiftly adopted around the previous few months by numerous cybercriminals at the rear of the Clop, DoppelPaymer and Sodinokibi ransomware households.