Follow the money: how the RTM grouping began to hide the addresses of C & C servers in the cryptograph

A group of cybercriminals RTM has been stealing money from banking clients since 2015. Most of its victims are Russian companies. Malicious software, which is used by attackers, is also called RTM in the information security community.

Quite a lot of technical reports have been written about this program, which describe in detail the general mechanism of the work of malware. In this article, we will focus on methods for obtaining the addresses of management (C & C) RTM servers. In each iteration of the program, attackers ingeniously approach this task: they spread the address through blogs, use the alternative DNS server system and the Tor network. The other day, we discovered that RTM began to hide IP in transactions on a bitcoin wallet.

What is RTM

At its core, RTM is a banking trojan. The main objective of the program is to allow attackers to manipulate the payment orders of the victim company in order to transfer its funds to cybercriminals' accounts without being noticed.

As a rule, RTM is delivered to the victim's computer via mailings, less often via hacked sites (for example, news media) or fake accountant resources. Criminals attach a packed executable file to the letters. The attackers use both their own developments and self-extracting archives as means of packaging.


Examples of executable files with the extension .exe, distributed by RTM grouping

Examples of files in the figure are arranged in the order of distribution. Most of the time RTM executables were packed with a custom packer and disguised as a PDF document. At the beginning of 2019, the first samples began to appear, which are a self-extracting RAR archive and disguised as a file in the DOCX format. Currently RTM is distributed as a self-extracting CAB archive.
')

Binary representation of the file "Payment 11.06.exe"

Once launched, the executable file copies the packed DLL to the disk and runs it using the rundll32.exe utility. As a rule, the internal name of this library is core.dll. Its subsequent operation takes place in the address space of the rundll32.exe process.

It is core.dll that performs the primary interaction with the managing server RTM, through which the program receives commands and additional modules from intruders.

Modules are delivered in encrypted form and can be run in various ways. These components enable attackers to remotely control a compromised computer, replace payment documents in the 1C system, etc.

Ways to find a managing server

RSS feed

In the first versions of RTM, an RSS feed was used to update the addresses of the management servers. The attackers created a blog in LiveJournal containing C & C addresses in encrypted form. In order to receive new addresses of management servers, a request was sent to hxxps: //.livejournal [.] Com / data / rss / and the response was processed in the following format (using the example https://f72bba81c921.livejournal.com/data/rss/ ) :


RSS feed content. The description field contains the encrypted addresses of the management servers.


Decrypted strings with the original address of the management server and the address of the RSS feed

.bit

In March 2016, RTM began to use domains in the .bit zone as addresses of management servers. They are supported by the alternative DNS blogger based on Namecoin. The system is decentralized, so .bit-domains are difficult to block.

The IP addresses of the control servers on .bit RTM received in one of two ways:

• through the Namecoin block browser API;
• through domain name resolution using special DNS servers.

The function of obtaining IP addresses of management servers

In the function of obtaining IP addresses of management servers via the Namecoin block browser API, the content located at hxxps: //namecoin.cyphrs [.] Com / api / name_show / d / stat-counter-7 is processed (for example, stat-counter -7 [.] Bit):


The function of obtaining IP addresses of management servers via the Namecoin block browser API

The IP addresses of the management server are obtained from the response body. In addition to requests to hxxps: //namecoin.cyphrs [.] Com / api / name_show / d /, the attackers also used requests to hxxps: // namecha [.] In / name / d /, processing the “Current value” field:


Web page content at hxxps: // namecha [.] In / name / d / stat-counter-7

If it was not possible to obtain the IP address in this way, the attackers resolve the domain name of the control server with the DnsQuery_A function using special DNS servers (taken, for example, from here ).

Using the DnsQuery_A function in the core.dll program code looks like this:


The function of obtaining IP addresses of management servers by resolving a domain name using special DNS servers

The DnsQuery_A function has the following prototype:


The prototype of the DnsQuery_A function declared in the WinDNS.h header file

The 4th argument to the DnsQuery_A function is the address of the _IP4_ARRAY structure on the stack. It contains an array of IP addresses of special DNS servers:


_IP4_ARRAY structure on stack

If the DnsQuery_A function is successfully executed, the IP address of the management server can be obtained by reading the following value: pDnsRecord -> Data.A.IpAddress.

From the decompiled code of one of the instances it can be seen that the special DNS server 188.165 [.] 200.156 is used to resolve the C & C domain name. And in case of failure, a list of three DNS servers is used: 91.217 [.] 137.37, 188.165 [.] 200.156, 217.12 [.] 210.54.

Tor

On February 15, 2019, we first discovered RTM samples, whose management server is located on the Tor network (hxxp: // [.] Onion / index [.] Php).


Address of the control server on the Tor network among the decrypted strings


Plot disassembled code in which the parsing of the URL of the management server

Such samples were sent until April 9, 2019, after which RTM again switched to using the .bit domain zone.

Bitcoin

On June 10, 2019, we discovered a sample RTM that retrieves the IP addresses of C & C servers from transactions on a specific cryptographic chain. Each IP address is hidden in the number of bitcoins listed in two transactions.

To obtain the IP addresses, C & C VPO makes a request to the address hxxps: // chain [.] So / api / v2 / get_tx_received / BTC /. The response contains a set of transactions on the account of the cryptograph. An example is shown in the screenshot:



Consider the section of code in which the IP addresses of the managing server are obtained:



In the FindValue function, the fractional part of the transfer amount is searched. The search is performed from the end of the buffer, and each time the function is called, the data is processed starting from the current index. That is, the successive calls to the FindValue function will result in the values ​​8483, 40030, 14728, and so on. The program generates two IP addresses: each address is hidden in two consecutive translations.


Disassembled code for obtaining an IP address from the sum of transfers to cryptographic boxes

This code does the following:

ip_address = str(value_1 & 0xff) + "." + str(value_1 >> 0x8) + "." + str(value_0 & 0xff) + "." + str(value_0 >> 0x8) 

That is, by listing 0.00008483 BTC and then 0.00040030 BTC, the attackers hid the IP address 94.156 [.] 35.33 for their program. Similarly, from the previous two transactions, RTM obtains the second IP address of the management server.

In this form, malware RTM is sent to this day.

Conclusion

You may notice that when organizing the transfer of the address of the C & C server, RTM likes to use approaches that allow you to dynamically change IP without modifying the source code of the malware.

On the one hand, it makes life easier for attackers and can be confusing for analysts. On the other hand, it allows specialists to predict the addresses of management servers prior to the implementation of malicious mailings.