Preying on Russian businesses that rely on remote banking systems (RBS), the recently discovered cybercrime group RTM is using customized backdoor malware to first silently compromise systems, and then deploy modules that perform reconnaissance, swipe data and steal funds.
According to a new white paper and accompanying blog post from ESET, RTM malware scans drives and browsers specifically for signs of remote banking activity, including the presence of the accounting software "1C: Enterprise 8." The malware even seeks out a particular export file associated with this software that contains bulk transfer details related to RBS-based payment orders. The hackers can then profit by altering this file – named 1c_to_kl.txt – to modify the victim's account details.
ESET noted that in late 2016, the Russian financial CERT organization FinCERT warned companies about criminals targeting these export files. A smaller number of businesses in Germany, Kazahkstan, Uktraine and the Czech Republic have also been attacked by the malware, whose existence ESET researchers have traced back to at least late 2015.
Essentially a DLL file written in Delphi programming language, RTM malware can also scan for and monitor smart card readers, which are used in certain countries to validate banking-related orders. Additionally, the malware exfiltrates data, captures keystrokes and screenshots, runs a virtual network computing module, elevates its privileges through social engineering, and more.
“The total number of detections we have for this threat is low and the complexity of the malware is high, indicating that this group is targeting specific, high-value targets in the Russian region,” the ESET white paper reads. Moreover, the attackers have particularly focused their sights on businesses' accounting departments, sending them phishing emails that contain invoices, contracts and tax forms as decoy documents.
ESET noted that RTM's malware functionality and its propensity for targeting businesses' banking and accounting processes, is reminiscent of Buhtrap, a hacker group that notably stole millions from Metallinvestbank, one of Russia's largest banks. However, ESET does not believe the two entities are related, noting that while Buhtrap is commonly distributed in spear phishing emails via a Buhtrap downloader, RTM is spread by "a large array of infection vectors, mostly revolving around drive-by downloads and spam."
“The fact that their malware is distributed through several different channels – such as the RIG and Sundown exploit kits or spam runs – also shows that this group has strong ties with criminals in the underground market who are selling these services," the blog post continues.
When the intended victim opens up a malicious attachment or visits a compromised website, the primarily RTM payload is dropped onto the machine's disk by a packed .EXE file. At this point, the malware immediately establishes persistence, and uses a modified RC4 algorithm to encrypt strings, networks data, configuration, and various modules. It connects to a command-and-control server that typical uses a .bit domain, which is more difficult for authorities to take down, and uses an uses an RSS feed to continually update its list of available C&C servers.
In addition to scanning the machines for indicators of remote banking systems, the malware fathers "fingerprint information" on the infected machine, including the privileges of the logged-in user, the OS version, process integrity levels, security software and modules that have been installed, and other key data.
"In general, this cybercriminal group illustrates a growing trend where talented malware writers use custom malware and a lot of manual work to try to steal large sums from businesses," said Jean Ian-Boutin, ESET senior malware researcher, in an email interview with SC Media.