Quote:
Our experts have found that cybercriminals are actively focusing on SMBs, and giving particular attention to accountants. Their choice is quite logical — they’re seeking direct access to finances. The most recent manifestation of this trend is a spike in Trojan activity: specifically, from Buhtrap and RTM. They have different functions and ways of spreading, but the same purpose — to steal money from the accounts of businesses.
Both threats are particularly relevant to companies that work in IT, legal services, and small-scale production. Perhaps this can be explained by such companies’ much smaller security budgets in comparison with companies working in the financial sector.
RTM
Usually, RTM infects victims by using phishing mail. The letters mimic common business correspondence (including phrases such as “return request,” “copies of last month’s documents,” or “request for payment”). Clicking a link or opening an attachment leads to immediate infection, giving operators full access to the infected system.
In 2017, our systems registered 2,376 users attacked by RTM. In 2018, we saw 130,000 targets. And with less than two months having elapsed so far in 2019, we’ve already seen more than 30,000 users who encountered this Trojan. If the trend continues, it will top last year’s record. For now, we can call RTM one of the most active financial Trojans.
The majority of RTM’s targets operate in Russia. However, our experts expect it to cross borders and eventually attack users in other countries.
Buhtrap
The first encounter with Buhtrap was registered back in 2014. At that time it was the name of a cybercriminal group that was stealing money from Russian financial establishments — to the tune of at least $150,000 per hit. After the source codes of their tools became public in 2016, the name Buhtrap was used for the financial Trojan.
Buhtrap resurfaced in the beginning of 2017 in the TwoBee campaign, where it served primarily as means of malware delivery. In March of last year, it hit the news (literally), spreading through several compromised major news outlets in whose main pages malicious actors implanted scripts. This scripts executed an exploit for Internet Explorer in visitor’s browsers.
![[Image: financial-trojans-2019-featured.jpg]](https://media.kasperskydaily.com/wp-content/uploads/sites/92/2019/02/20041145/financial-trojans-2019-featured.jpg)
Full reading: https://www.kaspersky.com/blog/financial...019/25690/
![[-]](https://www.geeks.fyi/images/collapse.png)
