RTM
Associated Group Descriptions |
|
Name | Description |
---|---|
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
RTM has used Registry run keys to establish persistence for the RTM Trojan and other tools, such as a modified version of TeamViewer remote desktop software.(Citation: ESET RTM Feb 2017)(Citation: Group IB RTM August 2019) |
Enterprise | T1574 | .001 | Hijack Execution Flow: DLL Search Order Hijacking |
RTM has used search order hijacking to force TeamViewer to load a malicious DLL.(Citation: Group IB RTM August 2019) |
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
RTM has used spearphishing attachments to distribute its malware.(Citation: Group IB RTM August 2019) |
Enterprise | T1204 | .002 | User Execution: Malicious File |
RTM has attempted to lure victims into opening e-mail attachments to execute malicious code.(Citation: Group IB RTM August 2019) |
Enterprise | T1102 | .001 | Web Service: Dead Drop Resolver |
RTM has used an RSS feed on Livejournal to update a list of encrypted C2 server names.(Citation: ESET RTM Feb 2017) |
References
- Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
- ESET Research. (2019, April 30). Buhtrap backdoor and Buran ransomware distributed via major advertising platform. Retrieved May 11, 2020.
- Skulkin, O. (2019, August 5). Following the RTM Forensic examination of a computer infected with a banking trojan. Retrieved May 11, 2020.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.