Contents
General description
The RTM cybercrime group began its activity in 2015 and it attacks organizations from various sectors, to steal cash from accounts, confidential documents and accounts. The group uses malware that it develops itself. The group’s malware does not have a static control server; it receives it through the blockchain.
Tools
- RTM downloader
- RTM backdoor
- Pony stealer
- Azorult stealer
Target sectors
- The finance sector
- The energy sector
- The state sector
- Information technologies
- Industrial sector
Target countries
- Russia
- Belarus
- Kazakhstan
Objectives
- Cash theft
- Confidential data
- Account theft
Alternative group names
None
Reports by Positive Technologies and other researchers
- https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf
- https://habr.com/ru/company/pt/blog/460857/
- https://broadcast.comdi.com/watch/r0uikvnq
- https://www.group-ib.com/blog/rtm
MITRE ATT&CK techniques, used by the group
Technique ID | Technique name | Description |
---|---|---|
Initial Access | ||
T1566.001 | Phishing: Spearphishing Attachment | RTM sent emails with malicious attachments in RAR format. |
Execution | ||
T1059.003 | Command and Scripting Interpreter: Windows Command Shell | RTM's loader used cmd.exe to delete the loader after it is run. |
T1204.002 | User Execution: Malicious File | RTM tried to trick users into running malicious attachments delivered by email. |
T1059.005 | Command and Scripting Interpreter: Visual Basic | In some attacks, one of the versions of the RTM's loader used VBS script to load the main payload. |
T1053.005 | Scheduled Task/Job: Scheduled Task | The group's main payload can be launched via the task scheduler. |
T1106 | Native API | The group's main payload used the LoadLibrary function to run plugins. |
Persistence | ||
T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | The group's main payload gained persistence via the registry. |
T1053.005 | Scheduled Task/Job: Scheduled Task | The group's main payload gained persistence via the task scheduler. |
Defense Evasion | ||
T1140 | Deobfuscate/Decode Files or Information | The main Trojan uploaded by the group is encrypted with the 4-byte XOR algorithm. |
T1562.001 | Impair Defenses: Disable or Modify Tools | The group's main Trojan tried to disable Windows Defender. |
T1564.001 | Hide Artifacts: Hidden Files and Directories | The group's main Trojan was saved to disk with system file attributes. |
T1070.004 | Indicator Removal on Host: File Deletion | RTM's loader was removed after its main functions were completed. |
T1027 | Obfuscated Files or Information | To protect malware, RTM used different packers (CustomRTMPacker, Rex3Packer, HellowinPacker). |
T1218.011 | Signed Binary Proxy Execution: Rundll32 | RTM's loader used rundll32.exe to run the main Trojan. |
T1112 | Modify Registry | RTM modified values of some registry keys. |
Credential Access | ||
T1056.001 | Input Capture: Keylogging | RTM used a keylogger to steal accounts. |
Discovery | ||
T1217 | Browser Bookmark Discovery | The group's malware looked for e-banking websites in open browser tabs. |
T1497.001 | Virtualization/Sandbox Evasion: System Checks | The group's malware looked for traces of sandboxes in an executable environment. |
Collection | ||
T1005 | Data from Local System | RTM stole documents from compromised computers. |
T1056.001 | Input Capture: Keylogging | RTM used a keylogger to collect data. |
T1113 | Screen Capture | The group's main Trojan started taking screen captures and sending them to C2 server if an e-banking system was open in browser. |
Command And Control | ||
T1105 | Ingress Tool Transfer | RTM uploaded the main payload and modules from the C2 server to the infected computer. |
T1573.001 | Encrypted Channel: Symmetric Cryptography | The group's malware used its own RC4 encryption algorithm to transfer data to the C2 server. |
T1102.001 | Web Service: Dead Drop Resolver | The group's malware used blockchain to obtain the C2 server address. |