Skip to content

G0048 RTM

RTM is a cybercriminal group that has been active since at least 2015 and is primarily interested in users of remote banking systems in Russia and neighboring countries. The group uses a Trojan by the same name (RTM). 1

Item Value
ID G0048
Associated Names
Version 1.1
Created 31 May 2017
Last Modified 12 May 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder RTM has used Registry run keys to establish persistence for the RTM Trojan and other tools, such as a modified version of TeamViewer remote desktop software.12
enterprise T1189 Drive-by Compromise RTM has distributed its malware via the RIG and SUNDOWN exploit kits, as well as online advertising network Yandex.Direct.13
enterprise T1574 Hijack Execution Flow -
enterprise T1574.001 DLL Search Order Hijacking RTM has used search order hijacking to force TeamViewer to load a malicious DLL.2
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment RTM has used spearphishing attachments to distribute its malware.2
enterprise T1219 Remote Access Software RTM has used a modified version of TeamViewer and Remote Utilities for remote access.2
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File RTM has attempted to lure victims into opening e-mail attachments to execute malicious code.2
enterprise T1102 Web Service -
enterprise T1102.001 Dead Drop Resolver RTM has used an RSS feed on Livejournal to update a list of encrypted C2 server names.1

Software

ID Name References Techniques
S0148 RTM 1 Bypass User Account Control:Abuse Elevation Control Mechanism Web Protocols:Application Layer Protocol Automated Collection Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Clipboard Data Windows Command Shell:Command and Scripting Interpreter Dynamic Resolution Symmetric Cryptography:Encrypted Channel File and Directory Discovery File Deletion:Indicator Removal Clear Persistence:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Dynamic Data Exchange:Inter-Process Communication Masquerade Task or Service:Masquerading Masquerading Modify Registry Native API Non-Standard Port Obfuscated Files or Information Peripheral Device Discovery Spearphishing Attachment:Phishing Process Discovery Remote Access Software Scheduled Task:Scheduled Task/Job Screen Capture Security Software Discovery:Software Discovery Software Discovery Install Root Certificate:Subvert Trust Controls Code Signing:Subvert Trust Controls Rundll32:System Binary Proxy Execution System Information Discovery System Owner/User Discovery System Time Discovery Malicious File:User Execution Virtualization/Sandbox Evasion Dead Drop Resolver:Web Service

References

  1. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017. 

  2. Skulkin, O. (2019, August 5). Following the RTM Forensic examination of a computer infected with a banking trojan. Retrieved May 11, 2020. 

  3. ESET Research. (2019, April 30). Buhtrap backdoor and Buran ransomware distributed via major advertising platform. Retrieved May 11, 2020.