|Enterprise||T1548||.002||Abuse Elevation Control Mechanism: Bypass User Account Control||
RTM can attempt to run the program as admin, then show a fake error message and a legitimate UAC bypass prompt to the user in an attempt to socially engineer the user into escalating privileges.
|Enterprise||T1071||.001||Application Layer Protocol: Web Protocols||
RTM has initiated connections to external domains using HTTPS.
RTM monitors browsing activity and automatically captures screenshots if a victim browses to a URL matching one of a list of strings.
|Enterprise||T1547||.001||Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder||
RTM tries to add a Registry Run key under the name "Windows Update" to establish persistence.
|Enterprise||T1059||.003||Command and Scripting Interpreter: Windows Command Shell|
RTM has resolved Pony C2 server IP addresses by either converting Bitcoin blockchain transaction data to specific octets, or accessing IP addresses directly within the Namecoin blockchain.
|Enterprise||T1573||.001||Encrypted Channel: Symmetric Cryptography|
|Enterprise||T1083||File and Directory Discovery||
RTM can check for specific files and directories associated with virtualization and malware analysis.
|Enterprise||T1070||.004||Indicator Removal: File Deletion||
RTM can delete all files created during its execution.
|.009||Indicator Removal: Clear Persistence||
RTM has the ability to remove Registry entries that it created for persistence.
|Enterprise||T1105||Ingress Tool Transfer|
|Enterprise||T1056||.001||Input Capture: Keylogging||
RTM can record keystrokes from both the keyboard and virtual keyboard.
|Enterprise||T1559||.002||Inter-Process Communication: Dynamic Data Exchange||
RTM can search for specific strings within browser tabs using a Dynamic Data Exchange mechanism.
RTM has been delivered as archived Windows executable files masquerading as PDF documents.
|.004||Masquerade Task or Service||
RTM has named the scheduled task it creates "Windows Update".
RTM can delete all Registry entries created during its execution.
RTM can use the
|Enterprise||T1027||Obfuscated Files or Information||
RTM strings, network data, configuration, and modules are encrypted with a modified RC4 algorithm. RTM has also been delivered to targets as various archive files including ZIP, 7-ZIP, and RAR.
|Enterprise||T1120||Peripheral Device Discovery||
RTM can obtain a list of smart card readers attached to the victim.
|Enterprise||T1566||.001||Phishing: Spearphishing Attachment||
RTM has been delivered via spearphishing attachments disguised as PDF documents.
RTM can obtain information about process integrity levels.
|Enterprise||T1219||Remote Access Software||
RTM has the capability to download a VNC module from command and control (C2).
|Enterprise||T1053||.005||Scheduled Task/Job: Scheduled Task||
RTM tries to add a scheduled task to establish persistence.
RTM can scan victim drives to look for specific banking software on the machine to determine next actions.
|.001||Security Software Discovery||
RTM can obtain information about security software on the victim.
|Enterprise||T1553||.002||Subvert Trust Controls: Code Signing||
RTM samples have been signed with a code-signing certificates.
|.004||Subvert Trust Controls: Install Root Certificate|
|Enterprise||T1218||.011||System Binary Proxy Execution: Rundll32|
|Enterprise||T1082||System Information Discovery||
RTM can obtain the computer name, OS version, and default language identifier.
|Enterprise||T1033||System Owner/User Discovery|
|Enterprise||T1124||System Time Discovery|
|Enterprise||T1204||.002||User Execution: Malicious File||
RTM has relied on users opening malicious email attachments, decompressing the attached archive, and double-clicking the executable within.
RTM can detect if it is running within a sandbox or other virtualized analysis environment.
|Enterprise||T1102||.001||Web Service: Dead Drop Resolver||
RTM has used an RSS feed on Livejournal to update a list of encrypted C2 server names. RTM has also hidden Pony C2 server IP addresses within transactions on the Bitcoin and Namecoin blockchain.