Last week new ransomware variants come to light which grabbed more than a few headlines. First, we had Phobos, operated by the group behind the Dharma ransomware family, then secondly hAnt which targeted mining rigs. Towards the end of last week, it would seem that those using trojans in financially motivated cybercrimes did not want to be forgotten. Two trojans were discovered by two separate security firms, both looking to steal victims’ money but in two different ways.
First discovered in 2015 the RTM Trojan, or Read-the-Manual, was used in campaigns designed to target predominantly Russian speakers. In a new campaign, it is again Russian speakers who appear to be the main target of the campaign. The latest campaign has been analyzed and tracked by Palo Alto Network's Unit 42 security team and rests on convincing users into downloading and executing the RTM banking trojan, also sometimes called Redaman. This is done by using the threats of debt and missing payments to scare users into inadvertently downloading the malware.
The primary attack vector is incredibly broad and involves the mass distribution of spam and phishing emails rather than selected, targeted attacks. The emails sent, however, use a number of subject lines which could induce panic or fear in unsuspecting victims, in a textbook case of social engineering. Subject lines like “Debt due Wednesday,” “Payment Verification,” and “The package of documents for payment 1st October,” are all designed to scare the recipient into downloading the malicious payload while playing on their fears of not wanting to incur unwanted debt. The subject’s headers have changed numerous times in the four months that the attack campaign was tracked but all have the same theme, namely, they refer to a document or file for an alleged financial issue the recipient needs to resolve.
While the email is vague and contains little real financial details its main objective to get the recipient to click on the attachment which will download the malicious payload. Upon execution, the executable file containing the trojan will first launch a scan to ascertain whether or not the program is running in a sandbox environment, commonly used by security researchers to unpack malware samples. If the malware uncovers files or directories on a Windows machine which suggests virtualization or sandboxing the executable exits. If these checks are passed the executable will drop a DLL file in the PC's temporary directory, create a randomly-named folder in the ProgramData directory, and shift the DLL to this folder, again, using a random file name. In order to maintain persistence on the infected system, the RTM DLL creates a scheduled Windows task which triggers every time the user logs on to the machine in order to maintain persistence.
Once this is done the trojan can get done to the business it was designed for, namely to steal banking credentials via monitoring browser activity. Chrome, Firefox, and Internet Explorer are of particular interest to RTM, which will also search the local host for any information related to banking or finance. Potentially any banking information that is stolen, namely login credentials, could be used to steal funds or be used in identity theft. However, that is not all RTM is capable of and the trojan can also download additional files to an infected host, use keylogging, capture screenshots, record video of a Windows desktop session, alter DNS configurations, steal clipboard data, terminate running processes, and add certificates to the Windows store.
Razy Targets Your Crypto
The second trojan actively seen in a campaign has been called Razy by security researchers at Kaspersky Labs. In summary, the trojan targets legitimate browser extensions and is spoofing search results in the quest to raid cryptocurrency wallets and steal virtual coins from victims. According to researchers Razy is spread through malvertising on websites and is also packaged up and distributed on file hosting services masquerading as legitimate software packages.
Like RTM it used in order to support financially motivated crimes. Where the two are different is that RTM looks to steal credentials while Razy looks to steal cryptocurrency. Razy does this by compromising browsers, including Google Chrome, Mozilla Firefox, and Yandex, and it further uses different attack vectors depending on which browser is discovered on the victim’s computer. It is unique in the sense that it can install malicious browser extensions and more importantly the Trojan is also able to infect already-installed, legitimate extensions, by disabling integrity checks for extensions and automatic updates for browsers. With Chrome, in particular, Razy edits the chrome.dll file to disable extension integrity checks and then renames this file to break the standard pathway. Registry keys are then created to disable browser updates.
At the time when Kaspersky published their findings the wallets used by the attackers had managed to accrue 0.14 BTC and 25 ETH stolen from unsuspecting victims. The above examples just serve to prove that using trojans in financial fraud is still a viable plan for quick profit albeit an illegal one. Last year saw the massive rise of crypto jackers, malware designed to use your CPU resources to mine cryptocurrency, and the complete change in tactics of ransomware families. While trends in cybersecurity come and go, it would still seem that older and less fashionable uses of malware are still incredibly effective at parting victims with their money, for example, banking trojans.