VERY IMPORTANT

The group discussed in this white paper is part of this new trend. We call this new group RTM- it uses custom malware, written in Delphi, that we cover in detail in later sections. The first trace of this tool in our telemetry data dates back to late 2015. The group also makes use of several different modules that they deploy where appropriate to their targets. They are interested in users of remote banking systems (RBS), mainly in Russia and neighbouring countries. In this paper, we cover the details of their tools, whom they target, and offer a rare glimpse into the type of operation they are carrying out.