Software: RTM

From ATT&CK
Jump to: navigation, search
RTM
Software
ID S0148
Aliases RTM
Type Malware

RTM is custom malware written in Delphi. It is used by the group of the same name (RTM).1

Techniques Used

  • Code Signing - RTM samples have been signed with a code-signing certificates.1
  • Rundll32 - RTM runs its core DLL file using rundll32.exe.1
  • Scheduled Task - RTM tries to add a scheduled task to establish persistence.1
  • File and Directory Discovery - RTM can scan victim drives to look for specific banking software on the machine to determine next actions. It also looks at browsing history and open tabs for specific strings.1
  • Automated Collection - RTM monitors browsing activity and automatically captures screenshots if a victim browses to a URL matching one of a list of strings.1
  • Input Capture - RTM can record keystrokes from both the keyboard and virtual keyboard.1
  • File Deletion - RTM can delete all files created during its execution.1
  • Modify Registry - RTM can delete all Registry entries created during its execution.1
  • Bypass User Account Control - RTM can attempt to run the program as admin, then show a fake error message and a legitimate UAC bypass prompt to the user in an attempt to socially engineer the user into escalating privileges.1

Groups

The following groups use this software: