Register to stream ATT&CKcon 2.0 October 29-30


RTM is custom malware written in Delphi. It is used by the group of the same name (RTM). [1]

ID: S0148
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1119 Automated Collection RTM monitors browsing activity and automatically captures screenshots if a victim browses to a URL matching one of a list of strings. [1]
Enterprise T1088 Bypass User Account Control RTM can attempt to run the program as admin, then show a fake error message and a legitimate UAC bypass prompt to the user in an attempt to socially engineer the user into escalating privileges. [1]
Enterprise T1115 Clipboard Data RTM collects data from the clipboard. [1]
Enterprise T1116 Code Signing RTM samples have been signed with a code-signing certificates. [1]
Enterprise T1059 Command-Line Interface RTM uses the command line and rundll32.exe to execute. [1]
Enterprise T1094 Custom Command and Control Protocol RTM uses HTTP POST requests with data formatted using a custom protocol. [1]
Enterprise T1024 Custom Cryptographic Protocol RTM encrypts C2 traffic with a custom RC4 variant. [1]
Enterprise T1083 File and Directory Discovery RTM can scan victim drives to look for specific banking software on the machine to determine next actions. It also looks at browsing history and open tabs for specific strings. [1]
Enterprise T1107 File Deletion RTM can delete all files created during its execution. [1]
Enterprise T1070 Indicator Removal on Host RTM has the ability to remove Registry entries that it created during execution. [1]
Enterprise T1056 Input Capture RTM can record keystrokes from both the keyboard and virtual keyboard. [1]
Enterprise T1130 Install Root Certificate RTM can add a certificate to the Windows store. [1]
Enterprise T1112 Modify Registry RTM can delete all Registry entries created during its execution. [1]
Enterprise T1027 Obfuscated Files or Information RTM strings, network data, configuration, and modules are encrypted with a modified RC4 algorithm. [1]
Enterprise T1120 Peripheral Device Discovery RTM can obtain a list of smart card readers attached to the victim. [1]
Enterprise T1057 Process Discovery RTM can obtain information about process integrity levels. [1]
Enterprise T1060 Registry Run Keys / Startup Folder RTM tries to add a Registry Run key under the name "Windows Update" to establish persistence. [1]
Enterprise T1105 Remote File Copy RTM can download additional files. [1]
Enterprise T1085 Rundll32 RTM runs its core DLL file using rundll32.exe. [1]
Enterprise T1053 Scheduled Task RTM tries to add a scheduled task to establish persistence. [1]
Enterprise T1113 Screen Capture RTM can capture screenshots. [1]
Enterprise T1063 Security Software Discovery RTM can obtain information about security software on the victim. [1]
Enterprise T1082 System Information Discovery RTM can obtain the computer name, OS version, and default language identifier. [1]
Enterprise T1033 System Owner/User Discovery RTM can obtain the victim username and permissions. [1]
Enterprise T1124 System Time Discovery RTM can obtain the victim time zone. [1]

Groups That Use This Software

ID Name References
G0048 RTM [1]