A cybercrime group called RTM has been discovered relentlessly targeting businesses in Russia and neighboring countries using small campaigns aimed at funneling cash out.
This group, active since at least 2015, is using malware, written in Delphi, to spy on its victims in a variety of ways, such as monitoring keystrokes and smart cards inserted into the system. It then has the ability to upload files from the compromised system to its Command and Control (C&C) server.
The group also alters accounting software files that contain bulk transfer details in order to execute fraudulent payment orders.
It also has a fingerprinting module to find systems on which specialized accounting software is installed. In particular, the group is looking for signs of popular accounting software called 1C: Enterprise 8, which is used by businesses to make bulk transfers via remote banking systems (RBSes).
“While inspecting RTM bot’s network communications, we saw that they were requesting one specific file created by 1C: Enterprise 8,” explained ESET, in a white paper. “This file…contains bulk transfer details and is used as an intermediary step in RBSes to execute payment orders. By altering this text file, the criminals can make monetary gains off it by, for example, modifying the recipient account details.”
This problem was severe enough to warrant an advisory from FinCERT, the Russian CERT responsible for fighting cybercrime targeting Russian financial institutions. It warned potential victims in late 2016 that criminals were going after 1c_to_kl.txt export files.
This specific attack vector was also used by at least one other group: Buhtrap.
“For a long time now, groups like Corkow and Buhtrap have been specifically targeting business RBS users,” ESET researchers noted. “These groups use complex backdoors and custom tools to steal from their corporate victims. RTM is another manifestation of this trend, where specialized criminals are mounting targeted attacks against financial institutions’ clients to maximize their financial gains.”
Lately, other groups have been using similar tactics targeting businesses in other parts of the world. In fact, last summer, MELANI, a Swiss reporting and analysis center for information assurance, issued a newsletter warning companies against hacker groups using the Dridex malware to target offline payment software.
“While we have not seen RTM activities outside of Russia and its neighbors, it would not come as a surprise to see them target other countries in the world,” the researchers noted.