The Russian-speaking group behind the infamous RTM banking trojan is now packing a trifecta of threats as it turns up the heat – part of a massive new money-grab campaign. Beyond the banking malware it is known for, attackers have enlisted a recently-discovered ransomware family called Quoter as part of a new double-extortion cyberattack strategy.
The triple-threat attack, which started its “active phase” in December 2020 and is ongoing, has hit at least ten Russian organizations in the transport and finance sectors via malicious email messages, according to Kaspersky in a report released this week.
Should the money-stealing tactics of RTM group’s hallmark Trojan-Banker.Win32.RTM payload fail, the attackers have a backup plan. Plan “B” is deploy a never-before-seen ransomware family, which researchers are calling Quoter. The name Quoter is derived from the fact the ransomware code embeds various popular quotes. Next, if attackers hit a brick wall, they try to extort money from victims, threatening that they will release breached data stolen from the targets if they don’t pay up.
“What’s remarkable about this story is the evolution of the group behind the RTM ransomware,” according to a translation of Kaspersky’s research report. They said the group has gone far beyond its tried-and-true methods of “making money” – via extortion and doxing. They added, it’s unusual for Russian-speaking cybercriminals to attack organizations in Russia, although, the ransomware is also used in targeted attacks outside the country.
RTM Email Attack: Downloading RTM Trojan
Kaspersky said that the initial infection phase of the campaign initially hit corporations back in mid-2019, when several companies reported receiving various phishing emails with corporate-themed headings. These included subject lines that included such terms as “Subpoena,” “Request for refund,” “Closing documents” or “Copies of documents for the last month.”
The text of the email was brief and asked email recipients to open an attached file for more detailed information. If the email recipient opened the attachment, Trojan-Banker.Win32.RTM was installed.
The Trojan-Banker.Win32.RTM (also known as the RTM Trojan) is a popular banking trojan. According to a Kaspersky report in November, Trojan-Banker.Win32.RTM was the fifth most popular banking malware family in the third quarter of 2020, taking 7.4 percent of the share behind Emotet, Zbot and more.
“RTM Trojan has always been linked to RTM group,” Sergey Golovanov, principal security researcher with Kasperksy GReAT, told Threatpost. “It was created specifically for accounting software and has a whole array of functions including remote access and search functions optimized for scanning accounting software. It can search for all mentions about banking clients, many organizations that it looks for and targets. Back in the days there were many programs like this, this one is the last, at least in Russia.”
As in this attack, the malware is typically distributed via malicious emails (using messages disguised as accounting or finance correspondence) and once installed provides attackers with full control over the infected systems.
After initial infection, attackers used legitimate remote access programs, to avoid detection, for lateral movement within companies’ local networks. These programs include LiteManager, remote control and administration software for Windows, Linux and MacOS.
Once downloaded, the RTM trojan typically substitutes account details, while a victim attempts to make a payment or transfer funds. According to Kaspersky, the RTM trojan can also be used by attackers to manually transfer money from victim’s accounts using remote access tools.
Should the banking trojan’s methods fail, researchers found that attackers used their initial foothold on systems in order to deploy a never-before-seen ransomware, which they called Ransom.Win32.Quoter.
“Quoter is very small, very fast and compiled on GCC,” Golovanov told Threatpost. “On average the attackers asked for 1 million USD as payment.”
The ransomware encrypted the contents of computers, using the AES-256 algorithm, and left a message demanding a ransom. The code of these encrypted file included several popular quotes. For instance, Golovanov said, one discovered quote referenced bible verse Ezekiel 25: “I will execute great vengeance upon them with furious rebukes. And they shall know that I am the Lord when I lay My vengeance upon them.”
Researchers said, “by this time, several months had passed since the RTM had been consolidated in the organization’s network.”
If victims failed to pay the ensuing ransom demand, attackers have yet another trick up their sleeves. Here, the RTM group relied on a ransomware tactic called double extortion. They hold compromised data for ransom and threaten to release or leak it if the victims don’t pay up.
“If the backup plan did not work for one reason or another, then after a couple of weeks the attackers switched to blackmail,” said researchers.
Victims receive a message that their data has been stolen a would cost a million dollars (in Bitcoin) to return – or the confidential data would be posted on the internet for free download.
Double extortion is an increasingly popular tactic amongst ransomware actors. The tactic, which first emerged in late 2019 by Maze operators, has been rapidly adopted over the past few months by various cybercriminals behind the Clop, DoppelPaymer and Sodinokibi ransomware families.