Experts at software firm ESET are monitoring the activity of a cybercrime group tracked as RTM that using a sophisticated malware written in Delphi language to target Remote Banking Systems (RBS). The Remote Banking Systems are business software used to make bulk financial transfers.
The Russian CERT FinCERT who is involved in the investigation of cybercrime targeting Russian financial institutions 2016 issued a security advisory.
According to ESET, the RTM gang has been active since 2015 and used a spyware to monitor the victims’machines.
“This group, active since at least 2015, is using malware, written in Delphi, to spy on its victims in a variety of ways, such as monitoring keystrokes and smart cards inserted into the system.” reads the blog post published by ESET.
The malware allows the RTM gang to monitor real-time the banking-related activities of the victims as well as the possibility to exfiltrate data from their PCs.
The malicious code used by the crooks actively searches for export files that are commonly used to a widespread accounting software called “1C: Enterprise 8”, mostly in Russia.
These specific files contain details of bulk transfers and are managed by RBS systems to complete payment orders. Intercepting these files, it is possible to modify them in order to hijack payments.
Researchers at ESET highlighted that the same attack technique was also used by other criminal organizations, such as Buhtrap and Corkow, that have also targeted RBS users in the past, slowly building an understanding of the network and building custom tools to steal from corporate victims.
Both groups used custom tools to target the RBS systems in the past, and the recent operations conducted by the RTM confirm that criminal organizations are looking with interest at this specific hacking activity.
The RTM mainly targeted financial organizations in Russia and in neighbor countries, but the experts warn that other groups using similar tactics are operating in Western Europe.
ESET published a white paper detailing the activities of the RTM gang, enjoy it!
[adrotate banner=”9″]
(Security Affairs – RTM group, cybercrime)