RTM is custom malware written in Delphi. It is used by the group of the same name (RTM). Newer versions of the malware have been reported publicly as Redaman.[1][2]

ID: S0148
Associated Software: Redaman
Platforms: Windows
Contributors: Arie Olshtein, Check Point; Kobi Eisenkraft, Check Point
Version: 1.2
Created: 31 May 2017
Last Modified: 29 July 2022

Associated Software Descriptions

Name Description


Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

RTM can attempt to run the program as admin, then show a fake error message and a legitimate UAC bypass prompt to the user in an attempt to socially engineer the user into escalating privileges.[1]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

RTM has initiated connections to external domains using HTTPS.[2]

Enterprise T1119 Automated Collection

RTM monitors browsing activity and automatically captures screenshots if a victim browses to a URL matching one of a list of strings.[1][2]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

RTM tries to add a Registry Run key under the name "Windows Update" to establish persistence.[1]

Enterprise T1115 Clipboard Data

RTM collects data from the clipboard.[1][2]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

RTM uses the command line and rundll32.exe to execute.[1]

Enterprise T1568 Dynamic Resolution

RTM has resolved Pony C2 server IP addresses by either converting Bitcoin blockchain transaction data to specific octets, or accessing IP addresses directly within the Namecoin blockchain.[3][2]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

RTM encrypts C2 traffic with a custom RC4 variant.[1]

Enterprise T1083 File and Directory Discovery

RTM can check for specific files and directories associated with virtualization and malware analysis.[2]

Enterprise T1070 .004 Indicator Removal: File Deletion

RTM can delete all files created during its execution.[1][2]

.009 Indicator Removal: Clear Persistence

RTM has the ability to remove Registry entries that it created for persistence.[1]

Enterprise T1105 Ingress Tool Transfer

RTM can download additional files.[1][2]

Enterprise T1056 .001 Input Capture: Keylogging

RTM can record keystrokes from both the keyboard and virtual keyboard.[1][2]

Enterprise T1559 .002 Inter-Process Communication: Dynamic Data Exchange

RTM can search for specific strings within browser tabs using a Dynamic Data Exchange mechanism.[1]

Enterprise T1036 Masquerading

RTM has been delivered as archived Windows executable files masquerading as PDF documents.[2]

.004 Masquerade Task or Service

RTM has named the scheduled task it creates "Windows Update".[2]

Enterprise T1112 Modify Registry

RTM can delete all Registry entries created during its execution.[1]

Enterprise T1106 Native API

RTM can use the FindNextUrlCacheEntryA and FindFirstUrlCacheEntryA functions to search for specific strings within browser history.[1]

Enterprise T1571 Non-Standard Port

RTM used Port 44443 for its VNC module.[1]

Enterprise T1027 Obfuscated Files or Information

RTM strings, network data, configuration, and modules are encrypted with a modified RC4 algorithm. RTM has also been delivered to targets as various archive files including ZIP, 7-ZIP, and RAR.[1][2]

Enterprise T1120 Peripheral Device Discovery

RTM can obtain a list of smart card readers attached to the victim.[1][2]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

RTM has been delivered via spearphishing attachments disguised as PDF documents.[2]

Enterprise T1057 Process Discovery

RTM can obtain information about process integrity levels.[1]

Enterprise T1219 Remote Access Software

RTM has the capability to download a VNC module from command and control (C2).[1]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

RTM tries to add a scheduled task to establish persistence.[1][2]

Enterprise T1113 Screen Capture

RTM can capture screenshots.[1][2]

Enterprise T1518 Software Discovery

RTM can scan victim drives to look for specific banking software on the machine to determine next actions.[1]

.001 Security Software Discovery

RTM can obtain information about security software on the victim.[1]

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

RTM samples have been signed with a code-signing certificates.[1]

.004 Subvert Trust Controls: Install Root Certificate

RTM can add a certificate to the Windows store.[1][2]

Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

RTM runs its core DLL file using rundll32.exe.[1][2]

Enterprise T1082 System Information Discovery

RTM can obtain the computer name, OS version, and default language identifier.[1]

Enterprise T1033 System Owner/User Discovery

RTM can obtain the victim username and permissions.[1]

Enterprise T1124 System Time Discovery

RTM can obtain the victim time zone.[1]

Enterprise T1204 .002 User Execution: Malicious File

RTM has relied on users opening malicious email attachments, decompressing the attached archive, and double-clicking the executable within.[2]

Enterprise T1497 Virtualization/Sandbox Evasion

RTM can detect if it is running within a sandbox or other virtualized analysis environment.[2]

Enterprise T1102 .001 Web Service: Dead Drop Resolver

RTM has used an RSS feed on Livejournal to update a list of encrypted C2 server names. RTM has also hidden Pony C2 server IP addresses within transactions on the Bitcoin and Namecoin blockchain.[1][3][2]

Groups That Use This Software

ID Name References
G0048 RTM