RTM
ID: G0048
Contributors: Oleg Skulkin, Group-IB
Version: 1.1
Created: 31 May 2017
Last Modified: 12 May 2020
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1574 | .001 | 劫持执行流: DLL Search Order Hijacking |
RTM has used search order hijacking to force TeamViewer to load a malicious DLL.[2] |
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
RTM has used Registry run keys to establish persistence for the RTM Trojan and other tools, such as a modified version of TeamViewer remote desktop software.[1][2] |
| Enterprise | T1189 | 浏览器攻击 |
RTM has distributed its malware via the RIG and SUNDOWN exploit kits, as well as online advertising network |
|
| Enterprise | T1204 | .002 | 用户执行: Malicious File |
RTM has attempted to lure victims into opening e-mail attachments to execute malicious code.[2] |
| Enterprise | T1102 | .001 | 网络服务: Dead Drop Resolver |
RTM has used an RSS feed on Livejournal to update a list of encrypted C2 server names.[1] |
| Enterprise | T1219 | 远程访问软件 |
RTM has used a modified version of TeamViewer and Remote Utilities for remote access.[2] |
|
| Enterprise | T1566 | .001 | 钓鱼: Spearphishing Attachment |
RTM has used spearphishing attachments to distribute its malware.[2] |
Software
| ID | Name | References | Techniques |
|---|---|---|---|
| S0148 | RTM | [1] | 伪装: Masquerade Task or Service, 伪装, 修改注册表, 剪贴板数据, 加密通道: Symmetric Cryptography, 动态解析, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 外围设备发现, 屏幕捕获, 应用层协议: Web Protocols, 文件和目录发现, 本机API, 混淆文件或信息, 滥用权限提升控制机制: Bypass User Account Control, 用户执行: Malicious File, 移除指标: Clear Persistence, 移除指标: File Deletion, 系统二进制代理执行: Rundll32, 系统信息发现, 系统所有者/用户发现, 系统时间发现, 网络服务: Dead Drop Resolver, 自动化收集, 虚拟化/沙盒规避, 软件发现: Security Software Discovery, 软件发现, 输入工具传输, 输入捕获: Keylogging, 进程发现, 进程间通信: Dynamic Data Exchange, 远程访问软件, 钓鱼: Spearphishing Attachment, 非标准端口, 预定任务/作业: Scheduled Task, 颠覆信任控制: Code Signing, 颠覆信任控制: Install Root Certificate |