Researchers at ESET are monitoring the activity of a cybercrime group tracked as RTM that focuses its criminal operations on Remote Banking Systems.
Experts at software firm ESET are monitoring the activity of a cybercrime group tracked as RTM that using a sophisticated malware written in Delphi language to target Remote Banking Systems (RBS). The Remote Banking Systems are business software used to make bulk financial transfers.
The Russian CERT FinCERT who is involved in the investigation of cybercrime targeting Russian financial institutions 2016 issued a security advisory.
According to ESET, the RTM gang has been active since 2015 and used a spyware to monitor the victims’machines.
“This group, active since at least 2015, is using malware, written in Delphi, to spy on its victims in a variety of ways, such as monitoring keystrokes and smart cards inserted into the system.” reads the blog post published by ESET.
The malware allows the RTM gang to monitor real-time the banking-related activities of the victims as well as the possibility to exfiltrate data from their PCs.
The malicious code used by the crooks actively searches for export files that are commonly used to a widespread accounting software called “1C: Enterprise 8”, mostly in Russia.
These specific files contain details of bulk transfers and are managed by RBS systems to complete payment orders. Intercepting these files, it is possible to modify them in order to hijack payments.
Researchers at ESET highlighted that the same attack technique was also used by other criminal organizations, such as Buhtrap and Corkow, that have also targeted RBS users in the past, slowly building an understanding of the network and building custom tools to steal from corporate victims.
Both groups used custom tools to target the RBS systems in the past, and the recent operations conducted by the RTM confirm that criminal organizations are looking with interest at this specific hacking activity.
The RTM mainly targeted financial organizations in Russia and in neighbor countries, but the experts warn that other groups using similar tactics are operating in Western Europe.
ESET published a white paper detailing the activities of the RTM gang, enjoy it!
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.