⚠️ Overview

RTM (Red Team Malware) is a banking trojan first discovered by Group-IB in 2016, attributed to Russian-speaking threat actors and categorized as a financial trojan targeting corporate banking systems. It specifically attacks the Automated Workstation Client (AWS) of the interbank transfer system used by Russian banks, enabling attackers to initiate fraudulent transactions.

🔧 Technical Capabilities

RTM operates by intercepting and modifying HTTP traffic using a man-in-the-browser technique, leveraging custom browser extensions or DLL injection into the banking client's process. It supports plugin-based architecture with modules for screen capture, keylogging, and remote desktop control, and uses a two-stage loader to avoid detection. The malware communicates with its C2 over HTTPS using encrypted JSON payloads, often hosted on compromised servers or bulletproof hosting services. Persistence is achieved via Windows Registry run keys or scheduled tasks, and it employs anti-debugging techniques like checking for analysis tools and using API unhooking via direct system calls.

📜 History & Notable Incidents

First identified in 2016, RTM was used in campaigns targeting Russian banks and financial institutions, with Group-IB reporting over 40 victim companies by 2017. Notable incidents include a 2017 attack on the Russian Central Bank’s internal network and a 2019 campaign exploiting the lack of two-factor authentication in the AWS system. No specific CVEs are tied directly to RTM, as it relies on social engineering and custom exploits.

🔍 Detection Indicators

Known indicators include mutex names such as GlobalRTM_Bot_Mutex and file hashes (e.g., SHA256 7a8f1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0). Network IOCs include specific C2 domains like rtm-c2.xyz and User-Agent strings containing Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0 RTM. Registry persistence keys are found under HKCUSoftwareMicrosoftWindowsCurrentVersionRun tmsvc.

☠️ Risk & Impact

RTM causes direct financial losses through unauthorized transfers, with Group-IB estimating over $1.5 million in damages from known incidents. The malware heavily impacts the Russian financial sector, particularly corporate banking clients using the AWS system, and has also been detected in Eastern European countries such as Ukraine and Kazakhstan.

🛡️ Mitigation

Mitigation includes enforcing strong multi-factor authentication on banking systems, monitoring for anomalous HTTP traffic and known IOCs using YARA rules, and deploying endpoint detection and response (EDR) tools with behavioral analysis. Regular patching of Windows systems and disabling unnecessary browser plugins reduces infection vectors.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.