RTM Locker: A Rising Cybercrime Collective Targeting Enterprises with Ransomware

April 13, 2023
Ransomware / Cyber Attack

Cybersecurity experts have revealed insights into the tactics of a burgeoning cybercriminal organization known as “Read The Manual” (RTM) Locker. This group operates as a private ransomware-as-a-service (RaaS) provider, executing opportunistic attacks to illicitly generate profits. According to a report from cybersecurity firm Trellix shared with The Hacker News, “The RTM Locker gang employs affiliates to extort victims, all of whom must adhere to the gang’s stringent rules.” The structured nature of the group, where affiliates are expected to remain active or inform the gang of their departure, highlights its organizational maturity, akin to that seen in other sophisticated groups like Conti. Originally documented by ESET in February 2017, RTM began in 2015 as a banking malware targeting businesses in Russia through methods such as drive-by downloads, spam, and phishing emails. The group’s attack strategies have since evolved to include ransomware deployment.

RTM Locker: A Rising Cybercriminal Threat Targeting Businesses with Ransomware

April 13, 2023

Recent insights from cybersecurity researchers have illuminated the operations of an emerging cybercrime group known as “Read The Manual” (RTM) Locker. This gang functions as a ransomware-as-a-service (RaaS) provider, engaging in opportunistic attacks aimed at businesses to generate illicit profits. According to a report from the cybersecurity firm Trellix, affiliates of RTM are mandated to adhere strictly to the group’s internal protocols, highlighting the organizational maturity reminiscent of other notorious ransomware groups like Conti.

RTM Locker, which was first identified by ESET in February 2017, originally emerged in 2015 as banking malware targeting Russian enterprises through methods such as drive-by downloads, phishing, and spam email campaigns. Since its inception, the group has refined its attack strategies to incorporate ransomware distribution, intensifying the threat landscape for businesses worldwide.

Trellix’s report sheds light on the structured framework within which RTM operates. Affiliates are expected to remain engaged in ongoing operations or formally communicate their departure to the group. This level of organization suggests a significant evolution compared to earlier iterations of cybercrime syndicates, indicating a shift toward a more business-like model of operation.

The group’s tactics present substantial risks to organizations, particularly in terms of data confidentiality and operational integrity. Businesses are particularly vulnerable to attacks involving initial access tactics, where adversaries exploit vulnerabilities to infiltrate networks. Such initial penetration could be achieved through spear phishing campaigns or the exploitation of software vulnerabilities, both of which have been documented as methods employed by RTM.

Once access has been secured, RTM may utilize persistence techniques to ensure continued presence within the victim’s environment, potentially complicating remediation efforts. The ability to escalate privileges within compromised systems allows them further control, enabling broader access across networks and sensitive data repositories.

Given the evolving sophistication of RTM Locker, businesses must remain vigilant. Employing proactive cybersecurity measures—including intrusion detection systems, regular software updates, and comprehensive employee training—can help mitigate the risks posed by such organizations. Continuous awareness of emerging threats facilitated by reliable cybersecurity news sources and intelligence reports will be critical for business owners.

As the threat posed by RTM and similar groups continues to grow, understanding and preparing against potential tactics outlined in the MITRE ATT&CK framework will be essential in fortifying defenses against ransomware attacks. The urgency for businesses to prioritize cybersecurity cannot be overstated, as the stakes rise with each passing day in the landscape of cybercrime.

Source link

Related Posts

Lazarus Hacker Group Adapts Tactics, Tools, and Targets in DeathNote Campaign

The North Korean cyber threat group known as Lazarus has been observed changing its strategies and rapidly enhancing its tools within its ongoing DeathNote campaign. While historically focused on the cryptocurrency sector, recent attacks have also expanded to include the automotive, academic, and defense sectors in Eastern Europe and beyond. This shift is seen as a major change in approach. Kaspersky researcher Seongsu Park noted that the group has switched its decoy documents to job descriptions for defense contractors and diplomatic services, marking a strategic pivot that began in April 2020. This campaign is also identified by other names such as Operation Dream Job or NukeSped, with Google-owned Mandiant linking certain activities to this evolving threat.

Critical Vulnerabilities in Android and Novi Survey Under Ongoing Exploitation

April 14, 2023
Mobile Security / Cyber Threat

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation evidence. The vulnerabilities include:

  • CVE-2023-20963 (CVSS score: 7.8) – Android Framework Privilege Escalation Vulnerability
  • CVE-2023-29492 (CVSS score: TBD) – Novi Survey Insecure Deserialization Vulnerability

CISA’s advisory for CVE-2023-20963 notes that the Android Framework contains an unspecified vulnerability that enables privilege escalation when an app is updated to a higher Target SDK without requiring additional execution privileges. Google acknowledged in its March 2023 Android Security Bulletin that there are signs of limited, targeted exploitation of CVE-2023-20963. This revelation follows a report from Ars Technica that Android apps digitally signed by a Chinese e-commerce entity may be affected.

Google Reports APT41’s Exploitation of Open Source GC2 Tool to Target Media and Job Websites

April 17, 2023
Cyber Threat / Cloud Security

A Chinese nation-state group has reportedly targeted an unnamed Taiwanese media outlet using an open-source red teaming tool called Google Command and Control (GC2). This activity is part of a larger trend of utilizing Google’s infrastructure for malicious purposes. Google’s Threat Analysis Group (TAG) attributes the operation to a threat actor known as HOODOO, also identified as APT41, Barium, Bronze Atlas, Wicked Panda, and Winnti. The attack begins with a phishing email that includes links to a password-protected file on Google Drive. This file contains the Go-based GC2 tool, which retrieves commands from Google Sheets and exfiltrates data via the cloud storage service. “Once installed on the victim’s machine, the malware queries Google Sheets for attacker commands,” stated Google’s cloud division in its latest Threat Horizons Report.

New QBot Banking Trojan Campaign Exploits Business Emails to Distribute Malware

April 17, 2023
Financial Security / Malware

Recent findings by Kaspersky reveal a fresh QBot malware campaign that uses compromised business correspondence to deceive victims into installing the malicious software. This ongoing operation, which began on April 4, 2023, is primarily targeting users in Germany, Argentina, Italy, Algeria, Spain, the U.S., Russia, France, the U.K., and Morocco.

QBot, also known as Qakbot or Pinkslipbot, has been active since at least 2007. It not only steals passwords and cookies from web browsers but also acts as a backdoor for delivering next-stage payloads like Cobalt Strike or ransomware. Distributed through phishing campaigns, QBot has undergone continuous updates to incorporate techniques that evade detection, such as anti-VM, anti-debugging, and anti-sandbox measures. Notably, it emerged as the most prevalent malware in March 2023, according to Check Point. In its early distribution, it relied on infected websites and other methods.