Ransomware, and then some

RTM group attacks victims with ransomware, a banking Trojan, and remote-access tools.

Our experts have detected a new malicious campaign involving a fairly wide array of tools. The tools include a banking Trojan, ransomware called Quoter (which our systems had not previously encountered), and legitimate remote-access programs (LiteManager and RMS, possibly others). The cybercriminals are associated with the RTM group.

How the attackers operate

The attack starts with standard phishing: The attackers e-mail what appears to be a document but is actually Trojan-Banker.Win32.RTM. To get recipients to open the attachment, they use attention-grabbing e-mail headers aimed at corporate recipients. Our experts came across the following variants:

  • Subpoena,
  • Refund request,
  • Closing documents,
  • Copies of documents for last month.

The Trojan itself is not new, having appeared consistently in our reports of the top 10 banking malware families since 2018. If the recipient clicks the attachment and installs the malware, it downloads additional hacking tools to the computer.

Next, the cybercriminals search the network for accounting employees’ computers and try to manipulate the remote banking system by substituting their own banking details for the right ones. That behavior is not new to RTM. Interestingly, as a backup plan, the gang launched Quoter (another Trojan, detected as Trojan-Ransom.Win32.Quoter), which we named as such because it inserts movie quotes into the code of the files it encrypts.

As is common practice for modern ransomware operators, RTM also siphons off information and later threatens to publish it if the ransom is late.

The targets

So far, our experts know of about a dozen victims, all operating in Russia, all in the transportation or financial services fields. However, the victim tally is bound to be higher; the period between initial infection and ransomware activation, when the attack becomes evident, can be several months. During that time, the attackers explore victims’ networks, searching for computers with remote banking systems.

Similar attacks on companies operating in other regions may follow (Quoter inserts quotes in English, which doesn’t necessarily mean anything, but it suggests the gang takes an international view). For a slightly more technical overview of the new campaign, including snippets of the malicious code and IOCs, see Securelist’s post.

Guarding against such cyberthreats

As usual, effective protection starts with employee education: Most attacks of this kind begin with phishing e-mails. Colleagues who are aware of the danger and standard intruder tricks are less likely to swallow the bait and endanger the company. You can organize training remotely using a specialized online platform.

For the timely detection of lateral movement by intruders through the corporate network and the use of legitimate tools for malicious purposes, deploy advanced tools to identify complex threats.

In addition, all employee computers, especially those that work with banking systems, must have security solutions that can detect both known and completely new threats.

Our products detect both the RTM banking Trojan and Quoter ransomware.