JUST RELEASED: ATT&CK for Industrial Control Systems


RTM is a cybercriminal group that has been active since at least 2015 and is primarily interested in users of remote banking systems in Russia and neighboring countries. The group uses a Trojan by the same name (RTM). [1]

ID: G0048
Version: 1.0
Created: 31 May 2017
Last Modified: 25 March 2019

Techniques Used

Domain ID Name Use
Enterprise T1102 Web Service

RTM has used an RSS feed on Livejournal to update a list of encrypted C2 server names.[1]


ID Name References Techniques
S0148 RTM [1] Automated Collection, Bypass User Account Control, Clipboard Data, Code Signing, Command-Line Interface, Custom Command and Control Protocol, Custom Cryptographic Protocol, File and Directory Discovery, File Deletion, Indicator Removal on Host, Input Capture, Install Root Certificate, Modify Registry, Obfuscated Files or Information, Peripheral Device Discovery, Process Discovery, Registry Run Keys / Startup Folder, Remote File Copy, Rundll32, Scheduled Task, Screen Capture, Security Software Discovery, System Information Discovery, System Owner/User Discovery, System Time Discovery