RTM is custom malware written in Delphi. It is used by the group of the same name (RTM). [1]

ID: S0148
Platforms: Windows

Version: 1.0

Techniques Used

EnterpriseT1119Automated CollectionRTM monitors browsing activity and automatically captures screenshots if a victim browses to a URL matching one of a list of strings.[1]
EnterpriseT1088Bypass User Account ControlRTM can attempt to run the program as admin, then show a fake error message and a legitimate UAC bypass prompt to the user in an attempt to socially engineer the user into escalating privileges.[1]
EnterpriseT1115Clipboard DataRTM collects data from the clipboard.[1]
EnterpriseT1116Code SigningRTM samples have been signed with a code-signing certificates.[1]
EnterpriseT1059Command-Line InterfaceRTM uses the command line and rundll32.exe to execute.[1]
EnterpriseT1094Custom Command and Control ProtocolRTM uses HTTP POST requests with data formatted using a custom protocol.[1]
EnterpriseT1024Custom Cryptographic ProtocolRTM encrypts C2 traffic with a custom RC4 variant.[1]
EnterpriseT1083File and Directory DiscoveryRTM can scan victim drives to look for specific banking software on the machine to determine next actions. It also looks at browsing history and open tabs for specific strings.[1]
EnterpriseT1107File DeletionRTM can delete all files created during its execution.[1]
EnterpriseT1070Indicator Removal on HostRTM has the ability to remove Registry entries that it created during execution.[1]
EnterpriseT1056Input CaptureRTM can record keystrokes from both the keyboard and virtual keyboard.[1]
EnterpriseT1130Install Root CertificateRTM can add a certificate to the Windows store.[1]
EnterpriseT1112Modify RegistryRTM can delete all Registry entries created during its execution.[1]
EnterpriseT1027Obfuscated Files or InformationRTM strings, network data, configuration, and modules are encrypted with a modified RC4 algorithm.[1]
EnterpriseT1120Peripheral Device DiscoveryRTM can obtain a list of smart card readers attached to the victim.[1]
EnterpriseT1057Process DiscoveryRTM can obtain information about process integrity levels.[1]
EnterpriseT1060Registry Run Keys / Startup FolderRTM tries to add a Registry Run key under the name "Windows Update" to establish persistence.[1]
EnterpriseT1105Remote File CopyRTM can download additional files.[1]
EnterpriseT1085Rundll32RTM runs its core DLL file using rundll32.exe.[1]
EnterpriseT1053Scheduled TaskRTM tries to add a scheduled task to establish persistence.[1]
EnterpriseT1113Screen CaptureRTM can capture screenshots.[1]
EnterpriseT1063Security Software DiscoveryRTM can obtain information about security software on the victim.[1]
EnterpriseT1082System Information DiscoveryRTM can obtain the computer name, OS version, and default language identifier.[1]
EnterpriseT1033System Owner/User DiscoveryRTM can obtain the victim username and permissions.[1]
EnterpriseT1124System Time DiscoveryRTM can obtain the victim time zone.[1]


Groups that use this software: