The sub-techniques beta is now live! Read the release blog post for more info.


RTM is custom malware written in Delphi. It is used by the group of the same name (RTM). [1]

ID: S0148
Platforms: Windows
Version: 1.0
Created: 31 May 2017
Last Modified: 17 October 2018

Techniques Used

Domain ID Name Use
Enterprise T1119 Automated Collection

RTM monitors browsing activity and automatically captures screenshots if a victim browses to a URL matching one of a list of strings.[1]

Enterprise T1088 Bypass User Account Control

RTM can attempt to run the program as admin, then show a fake error message and a legitimate UAC bypass prompt to the user in an attempt to socially engineer the user into escalating privileges.[1]

Enterprise T1115 Clipboard Data

RTM collects data from the clipboard.[1]

Enterprise T1116 Code Signing

RTM samples have been signed with a code-signing certificates.[1]

Enterprise T1059 Command-Line Interface

RTM uses the command line and rundll32.exe to execute.[1]

Enterprise T1094 Custom Command and Control Protocol

RTM uses HTTP POST requests with data formatted using a custom protocol.[1]

Enterprise T1024 Custom Cryptographic Protocol

RTM encrypts C2 traffic with a custom RC4 variant.[1]

Enterprise T1083 File and Directory Discovery

RTM can scan victim drives to look for specific banking software on the machine to determine next actions. It also looks at browsing history and open tabs for specific strings.[1]

Enterprise T1107 File Deletion

RTM can delete all files created during its execution.[1]

Enterprise T1070 Indicator Removal on Host

RTM has the ability to remove Registry entries that it created during execution.[1]

Enterprise T1056 Input Capture

RTM can record keystrokes from both the keyboard and virtual keyboard.[1]

Enterprise T1130 Install Root Certificate

RTM can add a certificate to the Windows store.[1]

Enterprise T1112 Modify Registry

RTM can delete all Registry entries created during its execution.[1]

Enterprise T1027 Obfuscated Files or Information

RTM strings, network data, configuration, and modules are encrypted with a modified RC4 algorithm.[1]

Enterprise T1120 Peripheral Device Discovery

RTM can obtain a list of smart card readers attached to the victim.[1]

Enterprise T1057 Process Discovery

RTM can obtain information about process integrity levels.[1]

Enterprise T1060 Registry Run Keys / Startup Folder

RTM tries to add a Registry Run key under the name "Windows Update" to establish persistence.[1]

Enterprise T1105 Remote File Copy

RTM can download additional files.[1]

Enterprise T1085 Rundll32

RTM runs its core DLL file using rundll32.exe.[1]

Enterprise T1053 Scheduled Task

RTM tries to add a scheduled task to establish persistence.[1]

Enterprise T1113 Screen Capture

RTM can capture screenshots.[1]

Enterprise T1063 Security Software Discovery

RTM can obtain information about security software on the victim.[1]

Enterprise T1082 System Information Discovery

RTM can obtain the computer name, OS version, and default language identifier.[1]

Enterprise T1033 System Owner/User Discovery

RTM can obtain the victim username and permissions.[1]

Enterprise T1124 System Time Discovery

RTM can obtain the victim time zone.[1]

Groups That Use This Software

ID Name References
G0048 RTM [1]