Skip to content

S0148 RTM

RTM is custom malware written in Delphi. It is used by the group of the same name (RTM). Newer versions of the malware have been reported publicly as Redaman.12

Item Value
ID S0148
Associated Names Redaman
Type MALWARE
Version 1.1
Created 31 May 2017
Last Modified 03 July 2020
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
Redaman 2

Techniques Used

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism -
enterprise T1548.002 Bypass User Account Control RTM can attempt to run the program as admin, then show a fake error message and a legitimate UAC bypass prompt to the user in an attempt to socially engineer the user into escalating privileges.1
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols RTM has initiated connections to external domains using HTTPS.2
enterprise T1119 Automated Collection RTM monitors browsing activity and automatically captures screenshots if a victim browses to a URL matching one of a list of strings.12
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder RTM tries to add a Registry Run key under the name “Windows Update” to establish persistence.1
enterprise T1115 Clipboard Data RTM collects data from the clipboard.12
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell RTM uses the command line and rundll32.exe to execute.1
enterprise T1568 Dynamic Resolution RTM has resolved Pony C2 server IP addresses by either converting Bitcoin blockchain transaction data to specific octets, or accessing IP addresses directly within the Namecoin blockchain.32
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography RTM encrypts C2 traffic with a custom RC4 variant.1
enterprise T1083 File and Directory Discovery RTM can check for specific files and directories associated with virtualization and malware analysis.2
enterprise T1070 Indicator Removal on Host RTM has the ability to remove Registry entries that it created during execution.1
enterprise T1070.004 File Deletion RTM can delete all files created during its execution.12
enterprise T1105 Ingress Tool Transfer RTM can download additional files.12
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging RTM can record keystrokes from both the keyboard and virtual keyboard.12
enterprise T1559 Inter-Process Communication -
enterprise T1559.002 Dynamic Data Exchange RTM can search for specific strings within browser tabs using a Dynamic Data Exchange mechanism.1
enterprise T1036 Masquerading RTM has been delivered as archived Windows executable files masquerading as PDF documents.2
enterprise T1036.004 Masquerade Task or Service RTM has named the scheduled task it creates “Windows Update”.2
enterprise T1112 Modify Registry RTM can delete all Registry entries created during its execution.1
enterprise T1106 Native API RTM can use the FindNextUrlCacheEntryA and FindFirstUrlCacheEntryA functions to search for specific strings within browser history.1
enterprise T1571 Non-Standard Port RTM used Port 44443 for its VNC module.1
enterprise T1027 Obfuscated Files or Information RTM strings, network data, configuration, and modules are encrypted with a modified RC4 algorithm. RTM has also been delivered to targets as various archive files including ZIP, 7-ZIP, and RAR.12
enterprise T1120 Peripheral Device Discovery RTM can obtain a list of smart card readers attached to the victim.12
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment RTM has been delivered via spearphishing attachments disguised as PDF documents.2
enterprise T1057 Process Discovery RTM can obtain information about process integrity levels.1
enterprise T1219 Remote Access Software RTM has the capability to download a VNC module from command and control (C2).1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task RTM tries to add a scheduled task to establish persistence.12
enterprise T1113 Screen Capture RTM can capture screenshots.12
enterprise T1518 Software Discovery RTM can scan victim drives to look for specific banking software on the machine to determine next actions.1
enterprise T1518.001 Security Software Discovery RTM can obtain information about security software on the victim.1
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing RTM samples have been signed with a code-signing certificates.1
enterprise T1553.004 Install Root Certificate RTM can add a certificate to the Windows store.12
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 RTM runs its core DLL file using rundll32.exe.12
enterprise T1082 System Information Discovery RTM can obtain the computer name, OS version, and default language identifier.1
enterprise T1033 System Owner/User Discovery RTM can obtain the victim username and permissions.1
enterprise T1124 System Time Discovery RTM can obtain the victim time zone.1
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File RTM has relied on users opening malicious email attachments, decompressing the attached archive, and double-clicking the executable within.2
enterprise T1497 Virtualization/Sandbox Evasion RTM can detect if it is running within a sandbox or other virtualized analysis environment.2
enterprise T1102 Web Service -
enterprise T1102.001 Dead Drop Resolver RTM has used an RSS feed on Livejournal to update a list of encrypted C2 server names. RTM has also hidden Pony C2 server IP addresses within transactions on the Bitcoin and Namecoin blockchain.132

Groups That Use This Software

ID Name References
G0048 RTM 1

References

Back to top