{
	"id": "b9d2580f-3c00-4246-b452-d06282e33772",
	"created_at": "2026-04-06T00:08:43.552902Z",
	"updated_at": "2026-04-10T03:25:28.216208Z",
	"deleted_at": null,
	"sha1_hash": "6bd9b03de1dda99f01d790f30a648babe92e16cd",
	"title": "Cybercrime is focusing on accountants",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 37762,
	"plain_text": "Cybercrime is focusing on accountants\r\nBy Pavel Shoshin\r\nPublished: 2019-02-20 · Archived: 2026-04-05 12:49:18 UTC\r\nOur experts have found that cybercriminals are actively focusing on SMBs, and giving particular attention to\r\naccountants. Their choice is quite logical — they’re seeking direct access to finances. The most recent\r\nmanifestation of this trend is a spike in Trojan activity: specifically, from Buhtrap and RTM. They have different\r\nfunctions and ways of spreading, but the same purpose — to steal money from the accounts of businesses.\r\nBoth threats are particularly relevant to companies that work in IT, legal services, and small-scale production.\r\nPerhaps this can be explained by such companies’ much smaller security budgets in comparison with companies\r\nworking in the financial sector.\r\nRTM\r\nUsually, RTM infects victims by using phishing mail. The letters mimic common business correspondence\r\n(including phrases such as “return request,” “copies of last month’s documents,” or “request for payment”).\r\nClicking a link or opening an attachment leads to immediate infection, giving operators full access to the infected\r\nsystem.\r\nIn 2017, our systems registered 2,376 users attacked by RTM. In 2018, we saw 130,000 targets. And with less than\r\ntwo months having elapsed so far in 2019, we’ve already seen more than 30,000 users who encountered this\r\nTrojan. If the trend continues, it will top last year’s record. For now, we can call RTM one of the most active\r\nfinancial Trojans.\r\nThe majority of RTM’s targets operate in Russia. However, our experts expect it to cross borders and eventually\r\nattack users in other countries.\r\nBuhtrap\r\nThe first encounter with Buhtrap was registered back in 2014. At that time it was the name of a cybercriminal\r\ngroup that was stealing money from Russian financial establishments — to the tune of at least $150,000 per hit.\r\nAfter the source codes of their tools became public in 2016, the name Buhtrap was used for the financial Trojan.\r\nBuhtrap resurfaced in the beginning of 2017 in the TwoBee campaign, where it served primarily as means of\r\nmalware delivery. In March of last year, it hit the news (literally), spreading through several compromised major\r\nnews outlets in whose main pages malicious actors implanted scripts. This scripts executed an exploit for Internet\r\nExplorer in visitor’s browsers.\r\nA couple of months later, in July, cybercriminals narrowed down their audience and concentrated on a particular\r\nuser group: accountants working at small and medium-size businesses. For that reason, they created websites with\r\ninformation particularly for accountants.\r\nhttps://www.kaspersky.com/blog/financial-trojans-2019/25690/\r\nPage 1 of 2\n\nWe recall this malware because of the new spike, which began in late 2018 and is continuing to this day. In total,\r\nour protection systems prevented more than 5,000 Buhtrap attack attempts, 250 of them since the beginning of\r\n2019.\r\nJust like last time, Buhtrap is spreading through exploits embedded in news outlets. As usual, Internet Explorer\r\nusers are in the group at risk. IE uses an encrypted protocol to download malware from infected sites, and that\r\ncomplicates analysis and allows the malware to avoid notice by some security solutions. And yes, it still uses a\r\nvulnerability that was disclosed back in 2018.\r\nAs a result of infection, both Buhtrap and RTM provide full access to compromised workstations. This allows\r\ncybercriminals to change the files used for data exchange between accounting and banking systems. Those files\r\nhave default names and no additional protective measures, so attackers can change them at will. Estimating the\r\ndamages is challenging, but as we learned, the criminals are siphoning off assets in transactions that do not exceed\r\n$15,000 each.\r\nWhat can be done?\r\nTo protect your business from such threats, we recommend paying exceptional attention to the protection of\r\ncomputers — such as those of accountants and management — that have access to financial systems. Of course,\r\nall other machines need protection as well. Here are some more practical tips:\r\nInstall security patches and updates for all software as soon as possible.\r\nForbid, to the extent possible, use of remote administration utilities on accountants’ computers.\r\nProhibit the installation of any unapproved programs.\r\nImprove the general security awareness of employees who work with finances, but also focus on\r\nantiphishing practices.\r\nInstall a protective solution with active behavioral analysis technologies such as Kaspersky Endpoint\r\nSecurity for Business.\r\nSource: https://www.kaspersky.com/blog/financial-trojans-2019/25690/\r\nhttps://www.kaspersky.com/blog/financial-trojans-2019/25690/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.kaspersky.com/blog/financial-trojans-2019/25690/"
	],
	"report_names": [
		"25690"
	],
	"threat_actors": [
		{
			"id": "01d569b1-f089-4a8f-8396-85078b93da26",
			"created_at": "2023-01-06T13:46:38.411615Z",
			"updated_at": "2026-04-10T02:00:02.963422Z",
			"deleted_at": null,
			"main_name": "BuhTrap",
			"aliases": [],
			"source_name": "MISPGALAXY:BuhTrap",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "3b046db2-f60e-49ae-8e16-0cf82a4be6fb",
			"created_at": "2022-10-25T16:07:23.427162Z",
			"updated_at": "2026-04-10T02:00:04.594113Z",
			"deleted_at": null,
			"main_name": "Buhtrap",
			"aliases": [
				"Buhtrap",
				"Operation TwoBee",
				"Ratopak Spider",
				"UAC-0008"
			],
			"source_name": "ETDA:Buhtrap",
			"tools": [
				"AmmyyRAT",
				"Buhtrap",
				"CottonCastle",
				"FlawedAmmyy",
				"NSIS",
				"Niteris EK",
				"Nullsoft Scriptable Install System",
				"Ratopak"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434123,
	"ts_updated_at": 1775791528,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6bd9b03de1dda99f01d790f30a648babe92e16cd.pdf",
		"text": "https://archive.orkl.eu/6bd9b03de1dda99f01d790f30a648babe92e16cd.txt",
		"img": "https://archive.orkl.eu/6bd9b03de1dda99f01d790f30a648babe92e16cd.jpg"
	}
}