NCC Group has recently published the results of the research carried out by its group called ‘ Research and Intelligence Fusion Team ‘ (RIFT), in which he shares the results of RM3, an advanced variant of the family banking malware known as Gozi . Among other discoveries, they have verified that Oceania is the main target of hackers.
Gozi variants , which target financial institutions, are controlled by a multitude of cyberattack groups. They typically cause financial loss through fraudulent transactions, or by facilitating other types of malicious activity such as ransomware .
In 2017, the RM3 variant was spotted with a greater number of modifications than the previously known main variant: it includes a new RM, a unique PE file format design, a modular architecture, a new communication network, and new modules.
The Research and Intelligence team Fusion Team ‘ identified 136 financial institutions that had been targeted by RM3 attacks since 2017. About two-thirds of those financial institutions are located in Oceania, 21 percent in the UK, and 12.5 percent in Italy. Over 90% of financial institutions targeted by cyberattacks were banks, followed by encryption services (four percent), online stores (one percent), job search websites (one percent), and loan websites (one by the way).
The modus operandi changes according to the region
According to the investigation of the ‘ Research and Intelligence Fusion Team ‘, in the last 30 months the use of RM3 has been drastically different in Oceania and Europe.
In Oceania, cyberattack groups appear to be highly experienced and use traditional means to carry out fraud and theft. The research also indicates that the methods are more advanced than typical malware, suggesting that perpetrators are more sophisticated and experienced.
In Europe the behavior is different: hackers use a textbook fraud strategy. Christo Butcher , Leader of the Global Business Unit of the company NCC Group , comments on the following: “Over the years, we have seen the disruption that well-executed malware can cause, especially in industries such as the financial sector, who are usually in the spotlight. RM3 is a very sophisticated variant, in which cyberattackers target organizations around the world using individualized methods, so it is important that banks and other financial institutions have robust security measures in place.
You can read the full report at this link.
