BANKER RTC PORTAL, attacks Latin American and European banks

At buguroo we have been detecting a massive fraud campaign targeting banks in Latin America and Europe since the end of last month, July 2019. Its objective is to steal money and credentials, and it is being executed using a RAT (Remote Access Trojan) type malware that we have baptized “Banker RTC Portal”.  

Banker RTC Portal is a banking Trojan that has multiple functionalities, including keylogger, remote control, system process monitoring, content modification on the customer device and even detection and evasion of local antifraud software protection agents. 


How does it work?

According to buguroo’s analysis, the modus operandi of this Trojan is to infect the victim through Spear Phishing campaigns within the geographical regions mentioned (this is a buguroo assumption; for the moment, this information has not been proven).

The malware only infects devices with Windows operating systems.

Once a victim’s device has been infected, the malware remains in residence, waiting for the user to connect to their bank’s website.

Then the malware goes into action and begins its attack: through a desktop application, the malware shows a pop-up with the look & feel of the bank, asking the user to enter their credentials. 

In the background, invisible to the end customer, the attacker takes control of the customer’s device by Remote Access Desktop which allows them to collect and visualize every action the victim carries out.  

In this phase, the malware is able to list the operating system processes to detect if the customer has any kind of local agent-based antifraud protection program, in order to stop it automatically and thus evade it.

Once the customer has entered all their banking credentials and solved the victim bank’s entry challenges, the attacker takes total control of the session and initiates the economic fraud theft through a rapid money-transfer transaction, hiding their actions from the victim.


Once the fraud has been completed and all customer information and credentials have been sent to the Command and Control panel, the malware is able to eliminate itself from the system to avoid leaving a trace.

It is interesting to highlight the rotational and resilient infrastructure used to design this malware. Different Google Sites are obtained using some domain generation algorithms, and from there different IPs are obtained to connect with the C&C, making them quite difficult to block. 



According to buguroo analysts, throughout 2019 and 2020 there will be greater professionalization in these RAT-type malwares, which simulate user behavior to a great extent in order to commit fraud without arousing suspicion.

Banker RTC Portal is a malware does not belong to any family we have seen recently but it does have a modus operandi very similar to recent Guildma banking Trojan that had fairly significant activity this past May, as its focus of activity was in the same regions, banks and languages. Due to this lack of family, at buguroo we have baptized it with the name “Banker RTC Portal”, referring to the RealThinClient SDK it uses for its implementation.

Our bugFraud solution is characterized by detection of this type of dangerous RAT-based content-injection bank attacks that require victim interaction and, moreover, does not require a local software agent in the customer’s device to protect it (agentless solution).

Posted by David García

In his more than 9-year professional career, he has been involved in multiple projects, the most important being in the fields of managed security, anti-fraud and ethical hacking services, and malware analysis. He has contributed his know-how and security-related improvements to a wide variety of fraud and vulnerability analysis products. He currently oversees the smooth running of our different products and researches current fraud developments in order to showcase buguroo overseas as well as providing the development department with feedback on the latest malware and cybercriminal trends.



buguroo’s cloud-based fraud detection delivers a straightforward solution for detecting and stopping today’s – and tomorrow’s malware threats. Banks and their customers can be protected from one of the most malicious threats in use by cybercriminals.


Solicita una demo

Would you like to know how our solution protects your bank?

Check how our solution can help you to resolve your company's online fraud issues by requesting a free DEMO and we explain it to you in detail.

Watch video

Did you like it? Share in your social communities.