Kaspersky Lab researchers have detected a surge in activity by the RTM Banking Trojan: with the overall number of users attacked in 2018 exceeding 130,000 – an increase from as few as 2376 attacked users in 2017.The pace of attacks appears to be continuing into 2019, with more than 30,000 users attacked during the first month and a half of the year, making RTM one of the most active banking Trojans on the threat landscape.
Banking Trojans are among of the most damaging cyberthreats as they are designed to gain access to the financial accounts and assets of their victims, primarily by stealing login credentials and hijacking online banking sessions. The RTM Trojan substitutes account details while an infected victim attempts to make a payment or transfer funds, or manually steals money using remote access tools.
The malware targets people responsible for financial accounting in small and medium-sized businesses, with a particular focus on the IT and legal sectors. This makes RTM attacks part of a general trend where cybercriminals are losing interest in financial organizations, and instead focusing on a private sector where entities in general invest less in security solutions. So far, the Trojan has hit mostly companies based in Russia.
The RTM Trojan is being distributed through email phishing, using messages disguised as routine finance and accounting correspondence and containing a malicious link or attachment. Once the malware is installed on the victim’s computer, it provides the attackers will full control over the infected system.
Kaspersky Lab estimates that during the course of two years, the attackers may have conducted multiple illegal transactions, up to a million rubles (the equivalent of $15,104) each. “By now, we’ve seen cases where successful cyberthreats were first used in Russia and later went international. RTM banking Trojan can easily become yet another example of the same development cycle. That is why we urge organizations that can become potential targets of this malware to take preventative measures and make sure their security products detect and block this threat,” said Sergey Golovanov, security researcher at Kaspersky Lab.