RM3 – Curiosities of the wildest banking malware

This report analyzes the Gozi ISFB RM3 banking malware variant over ~30 months, detailing its PX file format, modular architecture (bl.dll, explorer.dll, rt.dll, netwrk.dll, browser hooks, keylog, VNC, socks, cmdshell), distribution channels (malspam, Spelevo), geographic targeting (primarily Australia/New Zealand, UK, Germany, Italy), and operational changes including AES migration and potential pivot toward ransomware-style lateral movement; it also provides IoCs (module hashes, campaign IDs), config samples, and TTPs for detection and tracking.