RTM

Introduction

RTM is a cybercriminal group that has been active since at least 2015 and is primarily interested in users of remote banking systems in Russia and neighboring countries. The group uses a Trojan by the same name (RTM). ESET RTM Feb 2017

Activities and Tactics

Information pending cataloguing.

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

• T1189 Drive-by Compromise
• T1547.001 Registry Run Keys / Startup Folder
• T1574.001 DLL
• T1204.002 Malicious File
• T1566.001 Spearphishing Attachment
• T1219.002 Remote Desktop Software
• T1102.001 Dead Drop Resolver

ATT&CK technique IDs (denormalized)

• T1102.001
• T1189
• T1204.002
• T1219.002
• T1547.001
• T1566.001
• T1574.001

Notable Indicators of Compromise (IOCs)

No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.

Malware and Tools

• Backdoor.Oldrea
• RemoteCMD
• RTM
• Back Orifice
• Back Orifice 2000
• CyberGate
• Cyber Eye RAT
• Remote Utilities
• RemotePC
• Cobalt Strike

MITRE ATT&CK Software

• RTM (S0148) — malware

Attribution and Evidence

Information pending cataloguing.

References

[1] mitre-attack [3] ESET RTM Feb 2017 Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.