RTM is custom malware written in Delphi. It is used by the group of the same name (RTM). Newer versions of the malware have been reported publicly as Redaman.^[1]^[2]

ID: S0148

ⓘ

Associated Software: Redaman

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Contributors: Arie Olshtein, Check Point; Kobi Eisenkraft, Check Point

Version: 1.1

Created: 31 May 2017

Last Modified: 03 July 2020

Associated Software Descriptions

Name	Description
Redaman	^[2]

Techniques Used

Domain	ID		Name	Use
Enterprise	T1548	.002	Abuse Elevation Control Mechanism: Bypass User Account Control	RTM can attempt to run the program as admin, then show a fake error message and a legitimate UAC bypass prompt to the user in an attempt to socially engineer the user into escalating privileges.^[1]
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	RTM has initiated connections to external domains using HTTPS.^[2]
Enterprise	T1119		Automated Collection	RTM monitors browsing activity and automatically captures screenshots if a victim browses to a URL matching one of a list of strings.^[1]^[2]
Enterprise	T1547	.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	RTM tries to add a Registry Run key under the name "Windows Update" to establish persistence.^[1]
Enterprise	T1115		Clipboard Data	RTM collects data from the clipboard.^[1]^[2]
Enterprise	T1059	.003	Command and Scripting Interpreter: Windows Command Shell	RTM uses the command line and rundll32.exe to execute.^[1]
Enterprise	T1568		Dynamic Resolution	RTM has resolved Pony C2 server IP addresses by either converting Bitcoin blockchain transaction data to specific octets, or accessing IP addresses directly within the Namecoin blockchain.^[3]^[2]
Enterprise	T1573	.001	Encrypted Channel: Symmetric Cryptography	RTM encrypts C2 traffic with a custom RC4 variant.^[1]
Enterprise	T1083		File and Directory Discovery	RTM can check for specific files and directories associated with virtualization and malware analysis.^[2]
Enterprise	T1070		Indicator Removal on Host	RTM has the ability to remove Registry entries that it created during execution.^[1]
		.004	File Deletion	RTM can delete all files created during its execution.^[1]^[2]
Enterprise	T1105		Ingress Tool Transfer	RTM can download additional files.^[1]^[2]
Enterprise	T1056	.001	Input Capture: Keylogging	RTM can record keystrokes from both the keyboard and virtual keyboard.^[1]^[2]
Enterprise	T1559	.002	Inter-Process Communication: Dynamic Data Exchange	RTM can search for specific strings within browser tabs using a Dynamic Data Exchange mechanism.^[1]
Enterprise	T1036		Masquerading	RTM has been delivered as archived Windows executable files masquerading as PDF documents.^[2]
		.004	Masquerade Task or Service	RTM has named the scheduled task it creates "Windows Update".^[2]
Enterprise	T1112		Modify Registry	RTM can delete all Registry entries created during its execution.^[1]
Enterprise	T1106		Native API	RTM can use the `FindNextUrlCacheEntryA` and `FindFirstUrlCacheEntryA` functions to search for specific strings within browser history.^[1]
Enterprise	T1571		Non-Standard Port	RTM used Port 44443 for its VNC module.^[1]
Enterprise	T1027		Obfuscated Files or Information	RTM strings, network data, configuration, and modules are encrypted with a modified RC4 algorithm. RTM has also been delivered to targets as various archive files including ZIP, 7-ZIP, and RAR.^[1]^[2]
Enterprise	T1120		Peripheral Device Discovery	RTM can obtain a list of smart card readers attached to the victim.^[1]^[2]
Enterprise	T1566	.001	Phishing: Spearphishing Attachment	RTM has been delivered via spearphishing attachments disguised as PDF documents.^[2]
Enterprise	T1057		Process Discovery	RTM can obtain information about process integrity levels.^[1]
Enterprise	T1219		Remote Access Software	RTM has the capability to download a VNC module from command and control (C2).^[1]
Enterprise	T1053	.005	Scheduled Task/Job: Scheduled Task	RTM tries to add a scheduled task to establish persistence.^[1]^[2]
Enterprise	T1113		Screen Capture	RTM can capture screenshots.^[1]^[2]
Enterprise	T1218	.011	Signed Binary Proxy Execution: Rundll32	RTM runs its core DLL file using rundll32.exe.^[1]^[2]
Enterprise	T1518		Software Discovery	RTM can scan victim drives to look for specific banking software on the machine to determine next actions.^[1]
		.001	Security Software Discovery	RTM can obtain information about security software on the victim.^[1]
Enterprise	T1553	.002	Subvert Trust Controls: Code Signing	RTM samples have been signed with a code-signing certificates.^[1]
		.004	Subvert Trust Controls: Install Root Certificate	RTM can add a certificate to the Windows store.^[1]^[2]
Enterprise	T1082		System Information Discovery	RTM can obtain the computer name, OS version, and default language identifier.^[1]
Enterprise	T1033		System Owner/User Discovery	RTM can obtain the victim username and permissions.^[1]
Enterprise	T1124		System Time Discovery	RTM can obtain the victim time zone.^[1]
Enterprise	T1204	.002	User Execution: Malicious File	RTM has relied on users opening malicious email attachments, decompressing the attached archive, and double-clicking the executable within.^[2]
Enterprise	T1497		Virtualization/Sandbox Evasion	RTM can detect if it is running within a sandbox or other virtualized analysis environment.^[2]
Enterprise	T1102	.001	Web Service: Dead Drop Resolver	RTM has used an RSS feed on Livejournal to update a list of encrypted C2 server names. RTM has also hidden Pony C2 server IP addresses within transactions on the Bitcoin and Namecoin blockchain.^[1]^[3]^[2]

Groups That Use This Software

ID	Name	References
G0048	RTM	^[1]

References

Eisenkraft, K., Olshtein, A. (2019, October 17). Pony’s C&C servers hidden inside the Bitcoin blockchain. Retrieved June 15, 2020.

RTM

Associated Software Descriptions

Enterprise Layer

Techniques Used

Groups That Use This Software

References