RTM
Associated Software Descriptions
| Name | Description |
|---|---|
| Redaman |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1036 | 伪装 |
RTM has been delivered as archived Windows executable files masquerading as PDF documents.[2] |
|
| .004 | Masquerade Task or Service |
RTM has named the scheduled task it creates "Windows Update".[2] |
||
| Enterprise | T1112 | 修改注册表 |
RTM can delete all Registry entries created during its execution.[1] |
|
| Enterprise | T1115 | 剪贴板数据 | ||
| Enterprise | T1573 | .001 | 加密通道: Symmetric Cryptography | |
| Enterprise | T1568 | 动态解析 |
RTM has resolved Pony C2 server IP addresses by either converting Bitcoin blockchain transaction data to specific octets, or accessing IP addresses directly within the Namecoin blockchain.[3][2] |
|
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
RTM tries to add a Registry Run key under the name "Windows Update" to establish persistence.[1] |
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell | |
| Enterprise | T1120 | 外围设备发现 |
RTM can obtain a list of smart card readers attached to the victim.[1][2] |
|
| Enterprise | T1113 | 屏幕捕获 | ||
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
RTM has initiated connections to external domains using HTTPS.[2] |
| Enterprise | T1083 | 文件和目录发现 |
RTM can check for specific files and directories associated with virtualization and malware analysis.[2] |
|
| Enterprise | T1106 | 本机API |
RTM can use the |
|
| Enterprise | T1027 | 混淆文件或信息 |
RTM strings, network data, configuration, and modules are encrypted with a modified RC4 algorithm. RTM has also been delivered to targets as various archive files including ZIP, 7-ZIP, and RAR.[1][2] |
|
| Enterprise | T1548 | .002 | 滥用权限提升控制机制: Bypass User Account Control |
RTM can attempt to run the program as admin, then show a fake error message and a legitimate UAC bypass prompt to the user in an attempt to socially engineer the user into escalating privileges.[1] |
| Enterprise | T1204 | .002 | 用户执行: Malicious File |
RTM has relied on users opening malicious email attachments, decompressing the attached archive, and double-clicking the executable within.[2] |
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
RTM can delete all files created during its execution.[1][2] |
| .009 | 移除指标: Clear Persistence |
RTM has the ability to remove Registry entries that it created for persistence.[1] |
||
| Enterprise | T1218 | .011 | 系统二进制代理执行: Rundll32 | |
| Enterprise | T1082 | 系统信息发现 |
RTM can obtain the computer name, OS version, and default language identifier.[1] |
|
| Enterprise | T1033 | 系统所有者/用户发现 | ||
| Enterprise | T1124 | 系统时间发现 | ||
| Enterprise | T1102 | .001 | 网络服务: Dead Drop Resolver |
RTM has used an RSS feed on Livejournal to update a list of encrypted C2 server names. RTM has also hidden Pony C2 server IP addresses within transactions on the Bitcoin and Namecoin blockchain.[1][3][2] |
| Enterprise | T1119 | 自动化收集 |
RTM monitors browsing activity and automatically captures screenshots if a victim browses to a URL matching one of a list of strings.[1][2] |
|
| Enterprise | T1497 | 虚拟化/沙盒规避 |
RTM can detect if it is running within a sandbox or other virtualized analysis environment.[2] |
|
| Enterprise | T1518 | 软件发现 |
RTM can scan victim drives to look for specific banking software on the machine to determine next actions.[1] |
|
| .001 | Security Software Discovery |
RTM can obtain information about security software on the victim.[1] |
||
| Enterprise | T1105 | 输入工具传输 | ||
| Enterprise | T1056 | .001 | 输入捕获: Keylogging |
RTM can record keystrokes from both the keyboard and virtual keyboard.[1][2] |
| Enterprise | T1057 | 进程发现 |
RTM can obtain information about process integrity levels.[1] |
|
| Enterprise | T1559 | .002 | 进程间通信: Dynamic Data Exchange |
RTM can search for specific strings within browser tabs using a Dynamic Data Exchange mechanism.[1] |
| Enterprise | T1219 | 远程访问软件 |
RTM has the capability to download a VNC module from command and control (C2).[1] |
|
| Enterprise | T1566 | .001 | 钓鱼: Spearphishing Attachment |
RTM has been delivered via spearphishing attachments disguised as PDF documents.[2] |
| Enterprise | T1571 | 非标准端口 | ||
| Enterprise | T1053 | .005 | 预定任务/作业: Scheduled Task |
RTM tries to add a scheduled task to establish persistence.[1][2] |
| Enterprise | T1553 | .002 | 颠覆信任控制: Code Signing |
RTM samples have been signed with a code-signing certificates.[1] |
| .004 | 颠覆信任控制: Install Root Certificate | |||