S0148 RTM
RTM is custom malware written in Delphi. It is used by the group of the same name (RTM). Newer versions of the malware have been reported publicly as Redaman.21
| Item | Value |
|---|---|
| ID | S0148 |
| Associated Names | Redaman |
| Type | MALWARE |
| Version | 1.2 |
| Created | 31 May 2017 |
| Last Modified | 29 July 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| Redaman | 1 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1548 | Abuse Elevation Control Mechanism | - |
| enterprise | T1548.002 | Bypass User Account Control | RTM can attempt to run the program as admin, then show a fake error message and a legitimate UAC bypass prompt to the user in an attempt to socially engineer the user into escalating privileges.2 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | RTM has initiated connections to external domains using HTTPS.1 |
| enterprise | T1119 | Automated Collection | RTM monitors browsing activity and automatically captures screenshots if a victim browses to a URL matching one of a list of strings.21 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | RTM tries to add a Registry Run key under the name “Windows Update” to establish persistence.2 |
| enterprise | T1115 | Clipboard Data | RTM collects data from the clipboard.21 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | RTM uses the command line and rundll32.exe to execute.2 |
| enterprise | T1568 | Dynamic Resolution | RTM has resolved Pony C2 server IP addresses by either converting Bitcoin blockchain transaction data to specific octets, or accessing IP addresses directly within the Namecoin blockchain.31 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | RTM encrypts C2 traffic with a custom RC4 variant.2 |
| enterprise | T1083 | File and Directory Discovery | RTM can check for specific files and directories associated with virtualization and malware analysis.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | RTM can delete all files created during its execution.21 |
| enterprise | T1070.009 | Clear Persistence | RTM has the ability to remove Registry entries that it created for persistence.2 |
| enterprise | T1105 | Ingress Tool Transfer | RTM can download additional files.21 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | RTM can record keystrokes from both the keyboard and virtual keyboard.21 |
| enterprise | T1559 | Inter-Process Communication | - |
| enterprise | T1559.002 | Dynamic Data Exchange | RTM can search for specific strings within browser tabs using a Dynamic Data Exchange mechanism.2 |
| enterprise | T1036 | Masquerading | RTM has been delivered as archived Windows executable files masquerading as PDF documents.1 |
| enterprise | T1036.004 | Masquerade Task or Service | RTM has named the scheduled task it creates “Windows Update”.1 |
| enterprise | T1112 | Modify Registry | RTM can delete all Registry entries created during its execution.2 |
| enterprise | T1106 | Native API | RTM can use the FindNextUrlCacheEntryA and FindFirstUrlCacheEntryA functions to search for specific strings within browser history.2 |
| enterprise | T1571 | Non-Standard Port | RTM used Port 44443 for its VNC module.2 |
| enterprise | T1027 | Obfuscated Files or Information | RTM strings, network data, configuration, and modules are encrypted with a modified RC4 algorithm. RTM has also been delivered to targets as various archive files including ZIP, 7-ZIP, and RAR.21 |
| enterprise | T1120 | Peripheral Device Discovery | RTM can obtain a list of smart card readers attached to the victim.21 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.001 | Spearphishing Attachment | RTM has been delivered via spearphishing attachments disguised as PDF documents.1 |
| enterprise | T1057 | Process Discovery | RTM can obtain information about process integrity levels.2 |
| enterprise | T1219 | Remote Access Software | RTM has the capability to download a VNC module from command and control (C2).2 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | RTM tries to add a scheduled task to establish persistence.21 |
| enterprise | T1113 | Screen Capture | RTM can capture screenshots.21 |
| enterprise | T1518 | Software Discovery | RTM can scan victim drives to look for specific banking software on the machine to determine next actions.2 |
| enterprise | T1518.001 | Security Software Discovery | RTM can obtain information about security software on the victim.2 |
| enterprise | T1553 | Subvert Trust Controls | - |
| enterprise | T1553.002 | Code Signing | RTM samples have been signed with a code-signing certificates.2 |
| enterprise | T1553.004 | Install Root Certificate | RTM can add a certificate to the Windows store.21 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.011 | Rundll32 | RTM runs its core DLL file using rundll32.exe.21 |
| enterprise | T1082 | System Information Discovery | RTM can obtain the computer name, OS version, and default language identifier.2 |
| enterprise | T1033 | System Owner/User Discovery | RTM can obtain the victim username and permissions.2 |
| enterprise | T1124 | System Time Discovery | RTM can obtain the victim time zone.2 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | RTM has relied on users opening malicious email attachments, decompressing the attached archive, and double-clicking the executable within.1 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | RTM can detect if it is running within a sandbox or other virtualized analysis environment.1 |
| enterprise | T1102 | Web Service | - |
| enterprise | T1102.001 | Dead Drop Resolver | RTM has used an RSS feed on Livejournal to update a list of encrypted C2 server names. RTM has also hidden Pony C2 server IP addresses within transactions on the Bitcoin and Namecoin blockchain.231 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0048 | RTM | 2 |
References
-
Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Eisenkraft, K., Olshtein, A. (2019, October 17). Pony’s C&C servers hidden inside the Bitcoin blockchain. Retrieved June 15, 2020. ↩↩