Threat Database Trojans RTM Banking Trojan

RTM Banking Trojan

By GoldSparrow in Trojans

The RTM Banking Trojan is believed to be a private hacking tool since malware researchers have been unable to come across its source code online – this is likely to mean that only one group of criminals are utilizing it in their campaigns. So far, the RTM Banking Trojan has often been used to target small and medium-sized businesses in Russia, but cybersecurity experts have also detected attacks against targets in Kazakhstan, Germany, Ukraine, and the Czech Republic.

The propagation methods and infection vectors that the RTM Banking Trojan’s operators use appear to be changed regularly – in the past they have relied on Word macros, the RIG Exploit Kit, fake downloads, fake software updates, macro-laced documents, the Buhtrap downloader, the Sundown Exploit Kit, and others. One of the most recent campaigns involving the RTM Banking Trojan appears to rely on phishing emails that contain a macro-laced attached document – users who end up opening the bogus file may unknowingly permit the execution of a macro script that is meant to deploy the RTM Banking Trojan on the computer.

Once this Trojan is started, it may gather basic system details and transfer them to the remote server of the attacker – username, computer name, OS version, time zone, security tools, and user privileges are just a small portion of the information that the RTM Banking Trojan looks for.

Once the banking Trojan has gained persistence and is running on the targeted PC, it may check the user’s browsing history and hard drive for the presence of any software or websites linked to a selected list of financial institutions (most of which are native to Russia.) The primary feature of the RTM Banking Trojan appears to be the keylogger module that allows it to log keystrokes from both the physical and virtual keyboard – the module is even able to capture clipboard data. If the RTM Banking Trojan detects that the user is browsing one of the specified banking sites, it may take screenshots every five seconds and transfer them to the attacker’s server.

It is clear that RTM Banking Trojan is part of a complicated campaign that aims to steal money from businesses and users in Russia. Protecting computers from its attacks can be done with the help of a suitable anti-malware tool.


Most Viewed