Skip to content

G0048 RTM

RTM is a cybercriminal group that has been active since at least 2015 and is primarily interested in users of remote banking systems in Russia and neighboring countries. The group uses a Trojan by the same name (RTM). 1

Item Value
ID G0048
Associated Names
Version 1.1
Created 31 May 2017
Last Modified 12 May 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder RTM has used Registry run keys to establish persistence for the RTM Trojan and other tools, such as a modified version of TeamViewer remote desktop software.12
enterprise T1189 Drive-by Compromise RTM has distributed its malware via the RIG and SUNDOWN exploit kits, as well as online advertising network Yandex.Direct.13
enterprise T1574 Hijack Execution Flow -
enterprise T1574.001 DLL Search Order Hijacking RTM has used search order hijacking to force TeamViewer to load a malicious DLL.2
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment RTM has used spearphishing attachments to distribute its malware.2
enterprise T1219 Remote Access Software RTM has used a modified version of TeamViewer and Remote Utilities for remote access.2
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File RTM has attempted to lure victims into opening e-mail attachments to execute malicious code.2
enterprise T1102 Web Service -
enterprise T1102.001 Dead Drop Resolver RTM has used an RSS feed on Livejournal to update a list of encrypted C2 server names.1

Software

ID Name References Techniques
S0148 RTM - Bypass User Account Control:Abuse Elevation Control Mechanism Web Protocols:Application Layer Protocol Automated Collection Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Clipboard Data Windows Command Shell:Command and Scripting Interpreter Dynamic Resolution Symmetric Cryptography:Encrypted Channel File and Directory Discovery File Deletion:Indicator Removal on Host Indicator Removal on Host Ingress Tool Transfer Keylogging:Input Capture Dynamic Data Exchange:Inter-Process Communication Masquerade Task or Service:Masquerading Masquerading Modify Registry Native API Non-Standard Port Obfuscated Files or Information Peripheral Device Discovery Spearphishing Attachment:Phishing Process Discovery Remote Access Software Scheduled Task:Scheduled Task/Job Screen Capture Security Software Discovery:Software Discovery Software Discovery Code Signing:Subvert Trust Controls Install Root Certificate:Subvert Trust Controls Rundll32:System Binary Proxy Execution System Information Discovery System Owner/User Discovery System Time Discovery Malicious File:User Execution Virtualization/Sandbox Evasion Dead Drop Resolver:Web Service

References

Back to top