Cybercrime group RTM is deploying complex malware based in the Delphi programming language to target Remote Banking Systems (RBS), a type of business software used to make bulk financial transfers.
The problem was severe enough to warrant an advisory from FinCERT, a Russian CERT responsible for fighting cybercrime targeting Russian financial institutions in late 2016.
RTM is using its malware to spy on victims in a variety of ways such as monitoring keyboard strokes and smart cards inserted in the system, according to security software firm ESET. Malicious software allows all-time monitoring of banking-related activities as well as the possibility to upload files from the compromised system to its Command and Control (C&C) server.
“The malware actively searches for export files common to popular accounting software mainly used in Russia,” said Jean-Ian Boutin, a malware researcher at ESET.
The targeted files – associated with a popular accounting software called “1C: Enterprise 8” – are likely to be of interest since they can contain details of bulk transfers, an intermediary step in RBS execution of payment orders. These text files can be tweaked by the criminals to modify recipient account details in order to trick victims into sending funds to an account maintained by (likely low-level) members of the gang.
RTM, which ESET reckons has been active since 2015, is not the first group to pursue this method of attack. Others like Buhtrap and Corkow have also targeted RBS users in the past, slowly building an understanding of the network and building custom tools to steal from corporate victims.
RTM is another manifestation of a trend in cybercrime involving specialised criminals mounting targeted attacks against financial institutions’ clients. RTM’s victims are largely located in Russia and surrounds but other groups using similar tactics are active in Western Europe.
“The growth in capabilities and methodology of groups like these, which are primarily targeting Russia at the moment, suggests that businesses in other parts of the world, vulnerable to similar attacks, are likely to be their next targets,” Boutin warned.
Last summer, MELANI, a Swiss reporting and analysis centre for information assurance, issued a newsletter warning companies against hacker groups targeting offline payment software using the Dridex malware.