At buguroo we have been detecting a massive fraud campaign targeting banks in Latin America and Europe since the end of last month, July 2019. Its objective is to steal money and credentials, and it is being executed using a RAT (Remote Access Trojan) type malware that we have baptized “Banker RTC Portal”.
Banker RTC Portal is a banking Trojan that has multiple functionalities, including keylogger, remote control, system process monitoring, content modification on the customer device and even detection and evasion of local antifraud software protection agents.
How does it work?
According to buguroo’s analysis, the modus operandi of this Trojan is to infect the victim through Spear Phishing campaigns within the geographical regions mentioned (this is a buguroo assumption; for the moment, this information has not been proven).
The malware only infects devices with Windows operating systems.
Once a victim’s device has been infected, the malware remains in residence, waiting for the user to connect to their bank’s website.
Then the malware goes into action and begins its attack: through a desktop application, the malware shows a pop-up with the look & feel of the bank, asking the user to enter their credentials.
In the background, invisible to the end customer, the attacker takes control of the customer’s device by Remote Access Desktop which allows them to collect and visualize every action the victim carries out.
In this phase, the malware is able to list the operating system processes to detect if the customer has any kind of local agent-based antifraud protection program, in order to stop it automatically and thus evade it.
Once the customer has entered all their banking credentials and solved the victim bank’s entry challenges, the attacker takes total control of the session and initiates the economic fraud theft through a rapid money-transfer transaction, hiding their actions from the victim.
Once the fraud has been completed and all customer information and credentials have been sent to the Command and Control panel, the malware is able to eliminate itself from the system to avoid leaving a trace.
It is interesting to highlight the rotational and resilient infrastructure used to design this malware. Different Google Sites are obtained using some domain generation algorithms, and from there different IPs are obtained to connect with the C&C, making them quite difficult to block.
According to buguroo analysts, throughout 2019 and 2020 there will be greater professionalization in these RAT-type malwares, which simulate user behavior to a great extent in order to commit fraud without arousing suspicion.
Banker RTC Portal is a malware does not belong to any family we have seen recently but it does have a modus operandi very similar to recent Guildma banking Trojan that had fairly significant activity this past May, as its focus of activity was in the same regions, banks and languages. Due to this lack of family, at buguroo we have baptized it with the name “Banker RTC Portal”, referring to the RealThinClient SDK it uses for its implementation.
Our bugFraud solution is characterized by detection of this type of dangerous RAT-based content-injection bank attacks that require victim interaction and, moreover, does not require a local software agent in the customer’s device to protect it (agentless solution).