RTM is a cybercriminal group that has been active since at least 2015 and is primarily interested in users of remote banking systems in Russia and neighboring countries. The group uses a Trojan by the same name (RTM). [1]

ID: G0048
Aliases: RTM
Version: 1.0

Alias Descriptions


Techniques Used

EnterpriseT1102Web ServiceRTM has used an RSS feed on Livejournal to update a list of encrypted C2 server names.[1]


S0148RTMAutomated Collection, Bypass User Account Control, Clipboard Data, Code Signing, Command-Line Interface, Custom Command and Control Protocol, Custom Cryptographic Protocol, File and Directory Discovery, File Deletion, Indicator Removal on Host, Input Capture, Install Root Certificate, Modify Registry, Obfuscated Files or Information, Peripheral Device Discovery, Process Discovery, Registry Run Keys / Startup Folder, Remote File Copy, Rundll32, Scheduled Task, Screen Capture, Security Software Discovery, System Information Discovery, System Owner/User Discovery, System Time Discovery