Several cyber groups are known to specialize in stealing funds from Russian companies. We have observed attacks using security loopholes that allow access to the target's network. Once they gain access, the attackers study the structure of the organization's network and deploy their own tools to steal funds. A classic example of this trend is the hacker groups Buhtrap, Cobalt and Corkow.
The RTM group to which this report is dedicated is part of this trend. It uses specially designed malware written in Delphi, which we will cover in more detail in the following sections. The first traces of these tools in the ESET telemetry system were discovered at the end of 2015. As needed, the group downloads various new modules into infected systems. The attacks are aimed at users of RBS systems in Russia and some neighboring countries.
1. Objectives
The RTM campaign is aimed at corporate users - this is obvious from the processes that the attackers are trying to find in a compromised system. The focus is on accounting software for working with remote banking systems.
The list of processes of interest to RTM resembles the corresponding list of the Buhtrap group, but the groups have different infection vectors. If Buhtrap used fake pages more often, then RTM used drive-by download attacks (attacks on the browser or its components) and spamming by e-mail. According to telemetry, the threat is aimed at Russia and several nearby countries (Ukraine, Kazakhstan, the Czech Republic, Germany). However, due to the use of mass distribution mechanisms, detection of malware outside of targeted regions is not surprising.
The overall number of malware detections is relatively low. On the other hand, the RTM campaign uses complex programs, which indicates that the attacks are highly targeted.
We found several honeypot documents used by RTM, including non-existent contracts, invoices, or tax records. The nature of the honeypots, combined with the type of software targeted by the attack, indicates that the attackers "enter" the networks of Russian companies through accounting. The group followed the same pattern. in 2014-2015
During the research, we were able to interact with several C&C servers. We will list the complete list of commands in the following sections, but for now we can say that the client transmits data from the keylogger directly to the attacker's server, from which additional commands are then received.
However, the days when you could simply connect to a command and control server and collect all the data you were interested in are over. We have recreated realistic log files to get a few relevant commands from the server.
The first of them is a request to the bot to transfer the file 1c_to_kl.txt - the transport file of the 1C: Enterprise 8 program, the appearance of which is actively monitored by RTM. 1C interacts with RBS systems by uploading data on outgoing payments to a text file. Then the file is sent to the RBS system for automation and execution of the payment order.
The file contains payment details. If the attackers change the data on outgoing payments, the transfer will go to the accounts of the attackers using false details.
About a month after requesting these files from the command and control server, we observed a new 1c_2_kl.dll plugin being loaded into the compromised system. The module (DLL) is designed to automatically analyze the upload file by penetrating into the processes of accounting software. We will describe it in detail in the following sections.
Interestingly, at the end of 2016 FinCERT of the Bank of Russia issued a bulletin warning about cybercriminals using 1c_to_kl.txt upload files. Developers from 1C are also aware of this scheme, they have already made an official statement and listed precautions.
Other modules were also loaded from the command server, in particular, VNC (its 32 and 64-bit versions). It resembles the VNC module that was previously used in the Dridex Trojan attacks. This module is supposedly used to remotely connect to an infected computer and study the system in detail. Next, the attackers try to navigate the network, extracting user passwords, collect information and ensure the constant presence of malware.
2. Infection vectors
The following figure shows the infection vectors found during the study period of the campaign. The group uses a wide range of vectors, but mainly drive-by download attacks and spam. These tools are convenient for targeted attacks, since in the first case, attackers can choose the sites visited by potential victims, in the second case, they can send email with attachments directly to the right company employees.
Malware is distributed through multiple channels, including RIG and Sundown exploit kits or spam, indicating links between attackers and other cyber attackers offering these services.
2.1. How are RTM and Buhtrap related?
The RTM campaign is very similar to Buhtrap's. The natural question is: how are they related to each other?
In September 2016, we observed the distribution of an RTM sample using the Buhtrap downloader. In addition, we found two digital certificates used by both Buhtrap and RTM.
The first, allegedly issued to DNISTER-M, was used to digitally sign the second Delphi form (SHA-1: 025C718BA31E43DB1B87DC13F94A61A9338C11CE) and the Buhtrap DLL (SHA-1: 1E2642B454A2C889B6D41116CCDBA83F6F2D4890).
The second, issued to Bit-Tredj, was used to sign the Buhtrap bootloaders (SHA-1: 7C1B6B1713BD923FC243DFEC80002FE9B93EB292 and B74F71560E48488D2153AE2FB51207A0AC206E2B) and to download and install RTM components.
RTM operators use certificates that are common to other malware families, but they also have a unique certificate. According to ESET telemetry, it was issued to Kit-SD and was only used to sign some RTM malware (SHA-1: 42A4B04446A20993DDAE98B2BE6D5A797376D4B6).
RTM uses the same loader as Buhtrap, the RTM components are loaded from the Buhtrap infrastructure, so groups have similar network indicators. Nevertheless, according to our estimates, RTM and Buhtrap are different groupings, at least because RTM is distributed in different ways (not only with the help of a "foreign" downloader).
Despite this, hacker groups use similar principles of work. They target businesses using accounting software, similarly gather system information, look for smart card readers, and deploy an array of malicious tools to spy on victims.
3. Evolution
In this section, we'll take a look at the different versions of malware found during the investigation.
3.1. Versioning
RTM stores configuration data in a registry key, the most interesting part being botnet-prefix. A list of all the values that we saw in the studied samples is presented in the table below.
It is possible that the values could be used to record malware versions. However, we didn't notice much difference between versions like bit2 and bit3, 0.1.6.4 and 0.1.6.6. Moreover, one of the prefixes has existed since the beginning and has evolved from a typical C&C domain to a .bit domain, as will be shown next.
3.2. Graph
Using telemetry data, we created a graph of the appearance of samples.
4. Technical analysis
In this section, we will describe the main functions of the RTM banking trojan, including resilience mechanisms, its own version of the RC4 algorithm, network protocol, spying functionality, and some other features. In particular, we will focus on the SHA-1 patterns AA0FA4584768CE9E16D67D8C529233E99FF1BBF0 and 48BC113EC8BA20B8B80CD5D4DA92051A19D1032B.
4.1. Installation and saving
4.1.1. Implementation
The RTM core is a DLL, the library is loaded onto disk using .EXE. An executable file is usually packaged and contains DLL code. Once run, it extracts the DLL and runs it using the following command:
rundll32.exe “%PROGRAMDATA%Winlogonwinlogon.lnk”,DllGetClassObject host4.1.2. DLL
The main DLL is always loaded to disk as winlogon.lnk in the %PROGRAMDATA%Winlogon folder. This file extension is usually associated with a shortcut, but the file is actually a Delphi DLL called core.dll by the developer, as shown in the figure below.
Пример названия DLL F4C746696B0F5BB565D445EC49DD912993DE6361
Once launched, the Trojan activates the persistence mechanism. This can be done in two different ways - depending on the privileges of the victim in the system. With administrator rights, the Trojan adds a Windows Update entry to the HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun registry. The commands contained in Windows Update will run at the start of a user session.
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunWindows Update [REG_SZ] = rundll32.exe "%PROGRAMDATA%winlogon.lnk",DllGetClassObject host
The Trojan also tries to add a task to the Windows Task Scheduler. The task will launch the winlogon.lnk DLL with the same parameters as above. Standard user rights allow the Trojan to add a Windows Update entry with the same data to the HKCUSoftwareMicrosoftWindowsCurrentVersionRun registry:
rundll32.exe “%PROGRAMDATA%winlogon.lnk”,DllGetClassObject host4.2. Modified RC4 algorithm
Despite known shortcomings, the RC4 algorithm is regularly used by malware authors. However, the creators of RTM have slightly modified it, probably to make the task of virus analysts more difficult. A modified version of RC4 is widely used in malicious RTM tools to encrypt strings, network data, configuration, and modules.
4.2.1. Differences
The original RC4 algorithm includes two stages: initialization of the s-box (aka KSA - Key-Scheduling Algorithm) and generation of a pseudo-random sequence (PRGA - Pseudo-Random Generation Algorithm). The first stage involves the initialization of the s-box using the key, at the second stage, the source text is processed using the s-box for encryption.
The authors of RTM added an intermediate step between s-box initialization and encryption. The additional key is variable and is set at the same time as the data to be encrypted and decrypted. The function that performs this extra step is shown in the figure below.
4.2.2. String Encryption
At first glance, there are several readable lines in the main DLL. The rest are encrypted using the algorithm described above, the structure of which is shown in the following figure. We found over 25 different RC4 keys for string encryption in the analyzed samples. The XOR key is different for each row. The value of the numeric field separating lines is always 0xFFFFFFFF.
At the start of execution, RTM decrypts the strings into a global variable. When needed to access a string, the Trojan dynamically calculates the address of decrypted strings based on the base address and offset.
The strings contain interesting information about the functions of the malware. Some examples of strings are presented in Section 6.8.
4.3. Network
The way RTM malware contacts the command and control server varies from version to version. The first modifications (October 2015 - April 2016) used traditional domain names to update the team list along with an RSS feed on livejournal.com.
Since April 2016, we have seen telemetry shift to .bit domains. This is confirmed by the date of domain registration – the first RTM domain fde05d0573da.bit was registered on March 13, 2016.
All the URLs we saw while monitoring the campaign had a common path: /r/z.php. It is rather unusual and it will help to identify RTM requests in network streams.
4.3.1. Channel for commands and control
Older samples used this channel to update their C&C list. Hosted at livejournal.com, at the time of writing it remained at the URL hxxp://f72bba81c921(.)livejournal(.)com/data/rss.
Livejournal is a Russian-American blogging platform company. RTM operators create a LiveJournal blog where they post an article with coded commands - see screenshot.
The command and control strings are encoded using a modified RC4 algorithm (Section 4.2). The current version (November 2016) of the channel contains the following command and control server addresses:
- hxxp://cainmoon(.)net/r/z.php
- hxxp://rtm(.)dev/0-3/z.php
- hxxp://vpntap(.)top/r/z.php
4.3.2. .bit domains
In most recent RTM samples, authors connect to C&C domains using the .bit TLD. It is not on the ICANN (International Domain Names and IP Address Management) list of top-level domains. Instead, it uses the Namecoin system built on Bitcoin technology. Malware authors do not often use the .bit TLD for their domains, although an example of such use has previously been seen in the Necurs version of the botnet.
Unlike Bitcoin, users of the Namecoin distributed database have the ability to save data. The main application of this feature is the .bit top-level domain. You can register domains that will be stored in a distributed database. The corresponding entries in the database contain the IP addresses allowed by the domain. This TLD is "censorship resistant" because only the registrant can change the resolution of the .bit domain. This means that it is much more difficult to terminate a malicious domain using this kind of TLD.
The RTM Trojan does not embed the software required to read the distributed Namecoin database. It uses central DNS servers like dns.dot-bit.org or OpenNic servers to resolve .bit domains. Therefore, it has the same resiliency as DNS servers. We have observed that some command domains are no longer detected after being mentioned in a blog post.
Another benefit of the .bit TLD for hackers is cost. To register a domain, operators need to pay only 0,01 NK, which corresponds to $0,00185 (as of December 5, 2016). By comparison, a .com domain costs at least $10.
4.3.3. Protocol
To communicate with the command and control server, RTM uses HTTP POST requests with data formatted using a custom protocol. The path value is always /r/z.php; Mozilla/5.0 user agent (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0). In requests to the server, the data is formatted as follows, where offset values are expressed in bytes:
Bytes 0 to 6 are not encoded; bytes starting at 6 are encoded using a modified RC4 algorithm. The C&C response package structure is simpler. Bytes are encoded from 4 to packet size.
The list of possible action byte values is shown in the table below:
The malware always calculates the CRC32 of the decrypted data and compares it with what is present in the packet. If they are different, the Trojan drops the packet.
The additional data may contain various objects, including a PE file, a file system searchable file, or new command URLs.
4.3.4. Panel
We have noticed that RTM is using the panel on C&C servers. Screenshot below:
4.4. characteristic feature
RTM is a typical banking Trojan. Not surprisingly, operators need information about the victim's system. On the one hand, the bot collects general information about the OS. On the other hand, it finds out whether the compromised system contains attributes associated with Russian remote banking systems.
4.4.1. General information
When malware is installed or launched after a reboot, a report is sent to the C&C containing general information, including:
- Timezone;
- default system language;
- the authority of an authorized user;
- process integrity level;
- Username;
- computer name;
- OS version;
- additional installed modules;
- installed anti-virus program;
- list of smart card readers.
4.4.2 Remote banking system
A typical target of a Trojan is a remote banking system, and RTM is no exception. One of the program's modules is called TBdo, which performs various tasks, including scanning disks and browsing history.
By scanning the disk, the Trojan checks whether banking software is installed on the machine. The full list of targeted programs is in the table below. Having found the file of interest, the program sends the information to the C&C server. The next steps depend on the logic set by the command center (C&C) algorithms.
RTM also looks for URL patterns in the browser's browsing history and open tabs. In addition, the program learns the use of the FindNextUrlCacheEntryA and FindFirstUrlCacheEntryA functions, and checks each entry against URLs matching one of the following patterns:
Upon detecting open tabs, the Trojan contacts Internet Explorer or Firefox via Dynamic Data Exchange (DDE) to check if the tab matches the pattern.
Checking browsing history and open tabs is performed in a WHILE loop (loop with a precondition) with a break of 1 second between checks. Other data that is tracked in real time will be discussed in section 4.5.
If a pattern is found, the program reports it to the C&C using a list of strings from the following table:
4.5 Monitoring
During the operation of the Trojan, information about the characteristic features of the infected system (including information about the presence of banking software) is sent to the C&C server. Fingerprinting occurs when RTM first runs the monitoring system immediately after the initial OS scan.
4.5.1. Remote banking
The TBdo module is also responsible for monitoring banking-related processes. It uses Dynamic Data Exchange to check the tabs in Firefox and Internet Explorer at the time of the initial scan. Another TShell module is used to monitor command windows (Internet Explorer or File Explorer).
The module uses the IShellWindows, iWebBrowser, DWebBrowserEvents2, and IConnectionPointContainer COM interfaces to monitor windows. When a user navigates to a new web page, the malware notes this. It then compares the URL of the page against the above patterns. Having found a match, the Trojan takes six consecutive screenshots with an interval of 5 seconds and sends them to the C&C command and control server. The program also checks some window names related to banking software - the full list is below:
4.5.2. smart card
RTM allows you to monitor smart card readers connected to infected computers. These devices are used in some countries to verify payment orders. If devices of this type are attached to a computer, this may indicate to the Trojan that the machine is being used for banking transactions.
Unlike other banking Trojans, RTM cannot interact with such smart cards. Perhaps this functionality is included in an additional module that we have not yet seen.
4.5.3. Keyspy
An important part of monitoring an infected PC is keystroke interception. It seems that the developers of RTM do not miss any information, since they track not only ordinary keys, but also the virtual keyboard and clipboard.
For this, the SetWindowsHookExA function is used. The attackers log the keys pressed or the keys corresponding to the virtual keyboard, along with the name and date of the program. The buffer is then sent to the C&C command server.
To intercept the clipboard, the SetClipboardViewer function is used. Hackers log the contents of the clipboard when the data is text. The name and date are also logged before the buffer is sent to the server.
4.5.4. Screenshots
Another RTM feature is screenshot capturing. The capability is applied when the window monitoring module detects a site of interest or banking software. Screenshots are taken using the graphics library and transferred to the command and control server.
4.6. Uninstall
The C&C server can stop malware and clean up the computer. The command allows you to clean files and registry entries created while RTM was running. Then, using the DLL, the malware and the winlogon file are removed, after which the command turns off the computer. As shown in the figure below, the DLL is removed by developers using erase.dll.
The server can send the Trojan a destructive uninstall-lock command. In this case, if you have administrator rights, RTM will delete the MBR boot sector on your hard drive. If this fails, the Trojan will try to shift the MBR boot sector to a random sector - then the computer will not be able to boot the OS after it is turned off. This can lead to a complete reinstallation of the OS, that is, the destruction of evidence.
In the absence of administrator privileges, the malware writes an .EXE encoded in the core RTM DLL. The executable executes the code needed to shut down the computer and registers the module in the HKCUCurrentVersionRun registry key. Every time a user starts a session, the computer immediately shuts down.
4.7. Configuration file
By default, RTM has almost no configuration file, but the C&C can send configuration values to be stored in the registry and used by the program. The list of configuration keys is presented in the table below:
The configuration is stored in the Software[Pseudo-random string] registry key. Each value corresponds to one of the rows presented in the previous table. Values and data are encoded using the RC4 algorithm in RTM.
The data has the same structure as the network or strings. A four-byte XOR key is added at the beginning of the encoded data. For configuration values, the XOR key is different and depends on the size of the value. It can be calculated like this:
xor_key = (len(config_value) << 24) | (len(config_value) << 16)
| len(config_value)| (len(config_value) << 8)
4.8. Other functions
Next, let's look at other features that RTM supports.
4.8.1. Additional modules
The Trojan includes additional modules that are DLL files. Modules sent from the command and control C&C server can be executed as external programs, reflected in RAM, and run in new threads. For storage, modules are stored in .dtt files and encoded using the RC4 algorithm with the same key used for network communications.
So far we have observed the installation of the VNC module (8966319882494077C21F66A8354E2CBCA0370464), the browser data extraction module (03DE8622BE6B2F75A364A275995C3411626C4D9F) and the 1c_2_kl module (B1EE562E1F69EFC6FBA58 88753B7BE0D3B4EXNUMXCFAB).
To load the VNC module, the command and control server sends a command requesting connections to the VNC server at the specific IP address on port 44443. The browser data extraction plugin executes a TBrowserDataCollector that can read IE's browsing history. It then sends the complete list of visited URLs to the C&C command server.
The last detected module is called 1c_2_kl. It can interact with the 1C Enterprise software package. The module includes two parts: the main part - DLL and two agents (32-bit and 64-bit) that will be injected into each process, registering a binding to WH_CBT. Having taken root in the 1C process, the module binds the CreateFile and WriteFile functions. Whenever the bound CreateFile function is called, the module stores the file path 1c_to_kl.txt in memory. After intercepting the WriteFile call, it calls the WriteFile function and sends the file path 1c_to_kl.txt to the main DLL module, passing it the generated Windows WM_COPYDATA message.
The main DLL module opens and parses the file to determine payment orders. It recognizes the amount and number of transactions contained in the file. This information is sent to the command and control server. We believe this module is currently under development as it contains a debug message and cannot automatically modify 1c_to_kl.txt.
4.8.2. Privilege escalation
RTM may attempt to elevate privileges by displaying false error messages. The malware imitates a registry check (see the figure below) or uses a real registry editor icon. Note the misspelling wait - whait. After a few seconds of scanning, the program displays a false error message.
A false message will easily deceive the average user, despite the grammatical errors. If the user clicks on one of the two links, RTM will attempt to elevate its privileges on the system.
After choosing one of the two recovery options, the Trojan runs the DLL using the runas option in the ShellExecute function with administrator privileges. The user will see a real Windows prompt (see the figure below) to elevate privileges. If the user grants the necessary permissions, the Trojan will run with administrator privileges.
Depending on the default language set in the system, the Trojan displays error messages in Russian or English.
4.8.3. Certificate
RTM can add certificates to the Windows Store and validate the addition by automatically clicking the "yes" button in the csrss.exe dialog box. This behavior is not new, for example, the Retefe banking trojan also independently confirms the installation of a new certificate.
4.8.4. reverse connection
The authors of RTM also created a Backconnect TCP tunnel. So far, we have not seen the feature in operation, but it is intended for remote control of infected PCs.
4.8.5. Node file management
The command and control C&C server can send a command to the Trojan to modify the Windows host file. The host file is used to create custom DNS resolutions.
4.8.6. Find and send a file
The server may request to search for and download a file on the infected system. For example, in the course of research, we received a request for the file 1c_to_kl.txt. As previously described, this file is generated by the 1C: Enterprise 8 accounting system.
4.8.7. Update
Finally, RTM authors can update software by submitting a new DLL to replace the current version.
5. Заключение
RTM research shows that the Russian banking system is still attracting cyber attackers. Groups such as Buhtrap, Corkow and Carbanak successfully steal money from financial institutions and their clients in Russia. RTM is a new player in this industry.
According to ESET telemetry, malicious RTM tools have been in use since at least the end of 2015. The program has a full range of spying capabilities, including reading smart cards, intercepting keystrokes and monitoring banking transactions, as well as searching for 1C: Enterprise 8 transport files.
The use of a decentralized uncensored top-level domain .bit ensures a highly resilient infrastructure.
Source: habr.com