Software: RTM

From enterprise
Jump to: navigation, search
RTM
Software
ID S0148
Aliases RTM
Type Malware
Platform Windows

RTM is custom malware written in Delphi. It is used by the group of the same name (RTM).1

Techniques Used

  • Code Signing - RTM samples have been signed with a code-signing certificates.1
  • Rundll32 - RTM runs its core DLL file using rundll32.exe.1
  • Scheduled Task - RTM tries to add a scheduled task to establish persistence.1
  • File and Directory Discovery - RTM can scan victim drives to look for specific banking software on the machine to determine next actions. It also looks at browsing history and open tabs for specific strings.1
  • Automated Collection - RTM monitors browsing activity and automatically captures screenshots if a victim browses to a URL matching one of a list of strings.1
  • Input Capture - RTM can record keystrokes from both the keyboard and virtual keyboard.1
  • File Deletion - RTM can delete all files created during its execution.1
  • Modify Registry - RTM can delete all Registry entries created during its execution.1
  • Bypass User Account Control - RTM can attempt to run the program as admin, then show a fake error message and a legitimate UAC bypass prompt to the user in an attempt to socially engineer the user into escalating privileges.1

Groups

The following groups use this software: