Group description: RTM

RTM, Group G0048 | MITRE ATT&CK® ATT&CK v19 will be released April 28th! Check out this blog post for information on the planned deprecation of Enterprise's Defense Evasion tactic in the upcoming release. Home Groups RTM RTM RTM is a cybercriminal group that has been active since at least 2015 and is primarily interested in users of remote banking systems in Russia and neighboring countries. The group uses a Trojan by the same name ( RTM ). [1] ID:  G0048 Contributors : Oleg Skulkin, Group-IB Version : 1.1 Created:  31 May 2017 Last Modified:  25 April 2025 Version Permalink Live Version ATT&CK ® Navigator Layers Enterprise Layer download view Techniques Used Domain ID Name Use Enterprise T1547 .001 Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder RTM has used Registry run keys to establish persistence for the RTM Trojan and other tools, such as a modified version of TeamViewer remote desktop software. [1] [2] Enterprise T1189 Drive-by Compromise RTM has distributed its malware via the RIG and SUNDOWN exploit kits, as well as online advertising network Yandex.Direct . [1] [3] Enterprise T1574 .001 Hijack Execution Flow : DLL RTM has used search order hijacking to force TeamViewer to load a malicious DLL. [2] Enterprise T1566 .001 Phishing : Spearphishing Attachment RTM has used spearphishing attachments to distribute its malware. [2] Enterprise T1219 .002 Remote Access Tools : Remote Desktop Software RTM has used a modified version of TeamViewer and Remote Utilities for remote access. [2] Enterprise T1204 .002 User Execution : Malicious File RTM has attempted to lure victims into opening e-mail attachments to execute malicious code. [2] Enterprise T1102 .001 Web Service : Dead Drop Resolver RTM has used an RSS feed on Livejournal to update a list of encrypted C2 server names. [1] Software ID Name References Techniques S0148 RTM [1] Abuse Elevation Control Mechanism : Bypass User Account Control , Application Layer Protocol : Web Protocols , Automated Collection , Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder , Clipboard Data , Command and Scripting Interpreter : Windows Command Shell , Dynamic Resolution , Encrypted Channel : Symmetric Cryptography , File and Directory Discovery , Indicator Removal : Clear Persistence , Indicator Removal : File Deletion , Ingress Tool Transfer , Input Capture : Keylogging , Inter-Process Communication : Dynamic Data Exchange , Masquerading : Masquerade Task or Service , Masquerading , Modify Registry , Native API , Non-Standard Port , Obfuscated Files or Information : Compression , Obfuscated Files or Information , Peripheral Device Discovery , Phishing : Spearphishing Attachment , Process Discovery , Remote Access Tools , Scheduled Task/Job : Scheduled Task , Screen Capture , Software Discovery : Security Software Discovery , Software Discovery , Subvert Trust Controls : Code Signing , Subvert Trust Controls : Install Root Certificate , System Binary Proxy Execution : Rundll32 , System Information Discovery , System Owner/User Discovery , System Time Discovery , User Execution : Malicious File , Virtualization/Sandbox Evasion , Web Service : Dead Drop Resolver References Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017. Skulkin, O. (2019, August 5). Following the RTM Forensic examination of a computer infected with a banking trojan. Retrieved May 11, 2020. ESET Research. (2019, April 30). Buhtrap backdoor and Buran ransomware distributed via major advertising platform. Retrieved May 11, 2020. × load more results