FacebookTwitterLinkedIn

Trojans Looking to Steal Your Money

Karolis Liucveikis Written by on

Last week new ransomware variants come to light which grabbed more than a few headlines. First, we had Phobos, operated by the group behind the Dharma ransomware family, then secondly hAnt which targeted mining rigs. Towards the end of last week, it would seem that those using trojans in financially motivated cybercrimes did not want to be forgotten. Two trojans were discovered by two separate security firms, both looking to steal victims’ money but in two different ways.

First discovered in 2015 the RTM Trojan, or Read-the-Manual, was used in campaigns designed to target predominantly Russian speakers. In a new campaign, it is again Russian speakers who appear to be the main target of the campaign. The latest campaign has been analyzed and tracked by Palo Alto Network's Unit 42 security team and rests on convincing users into downloading and executing the RTM banking trojan, also sometimes called Redaman. This is done by using the threats of debt and missing payments to scare users into inadvertently downloading the malware.

The primary attack vector is incredibly broad and involves the mass distribution of spam and phishing emails rather than selected, targeted attacks. The emails sent, however, use a number of subject lines which could induce panic or fear in unsuspecting victims, in a textbook case of social engineering. Subject lines like “Debt due Wednesday,” “Payment Verification,” and “The package of documents for payment 1st October,” are all designed to scare the recipient into downloading the malicious payload while playing on their fears of not wanting to incur unwanted debt. The subject’s headers have changed numerous times in the four months that the attack campaign was tracked but all have the same theme, namely, they refer to a document or file for an alleged financial issue the recipient needs to resolve.

rtm and razy trojans looking to steal your money

While the email is vague and contains little real financial details its main objective to get the recipient to click on the attachment which will download the malicious payload. Upon execution, the executable file containing the trojan will first launch a scan to ascertain whether or not the program is running in a sandbox environment, commonly used by security researchers to unpack malware samples. If the malware uncovers files or directories on a Windows machine which suggests virtualization or sandboxing the executable exits. If these checks are passed the executable will drop a DLL file in the PC's temporary directory, create a randomly-named folder in the ProgramData directory, and shift the DLL to this folder, again, using a random file name. In order to maintain persistence on the infected system, the RTM DLL creates a scheduled Windows task which triggers every time the user logs on to the machine in order to maintain persistence.

Once this is done the trojan can get done to the business it was designed for, namely to steal banking credentials via monitoring browser activity. Chrome, Firefox, and Internet Explorer are of particular interest to RTM, which will also search the local host for any information related to banking or finance. Potentially any banking information that is stolen, namely login credentials, could be used to steal funds or be used in identity theft. However, that is not all RTM is capable of and the trojan can also download additional files to an infected host, use keylogging, capture screenshots, record video of a Windows desktop session, alter DNS configurations, steal clipboard data, terminate running processes, and add certificates to the Windows store.

Razy Targets Your Crypto

The second trojan actively seen in a campaign has been called Razy by security researchers at Kaspersky Labs. In summary, the trojan targets legitimate browser extensions and is spoofing search results in the quest to raid cryptocurrency wallets and steal virtual coins from victims. According to researchers Razy is spread through malvertising on websites and is also packaged up and distributed on file hosting services masquerading as legitimate software packages.

Like RTM it used in order to support financially motivated crimes. Where the two are different is that RTM looks to steal credentials while Razy looks to steal cryptocurrency. Razy does this by compromising browsers, including Google Chrome, Mozilla Firefox, and Yandex, and it further uses different attack vectors depending on which browser is discovered on the victim’s computer. It is unique in the sense that it can install malicious browser extensions and more importantly the Trojan is also able to infect already-installed, legitimate extensions, by disabling integrity checks for extensions and automatic updates for browsers. With Chrome, in particular, Razy edits the chrome.dll file to disable extension integrity checks and then renames this file to break the standard pathway. Registry keys are then created to disable browser updates.

The trojan is purely focused on stealing cryptocurrency and it does this through a single JavaScript script which searches for cryptocurrency wallet addresses, replace these addresses with others controlled by threat actors, spoof both images and QR codes which point to wallets, as well as modify the web pages of cryptocurrency exchanges. The trojan will also spoof search results in order to trick victims into handing over login credentials. An example seen in the wild involved a fake bargain coin sale which required the user to log in if they wish to participate.

At the time when Kaspersky published their findings the wallets used by the attackers had managed to accrue 0.14 BTC and 25 ETH stolen from unsuspecting victims. The above examples just serve to prove that using trojans in financial fraud is still a viable plan for quick profit albeit an illegal one. Last year saw the massive rise of crypto jackers, malware designed to use your CPU resources to mine cryptocurrency, and the complete change in tactics of ransomware families. While trends in cybersecurity come and go, it would still seem that older and less fashionable uses of malware are still incredibly effective at parting victims with their money, for example, banking trojans.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

New Removal Guides
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal

Top Removal Guides
Latest News
Blog