RTM
Associated Software Descriptions |
|
| Name | Description |
|---|---|
| Redaman | (Citation: Unit42 Redaman January 2019) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1548 | .002 | Abuse Elevation Control Mechanism: Bypass User Account Control |
RTM can attempt to run the program as admin, then show a fake error message and a legitimate UAC bypass prompt to the user in an attempt to socially engineer the user into escalating privileges.(Citation: ESET RTM Feb 2017) |
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
RTM has initiated connections to external domains using HTTPS.(Citation: Unit42 Redaman January 2019) |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
RTM tries to add a Registry Run key under the name "Windows Update" to establish persistence.(Citation: ESET RTM Feb 2017) |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
RTM uses the command line and rundll32.exe to execute.(Citation: ESET RTM Feb 2017) |
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
RTM encrypts C2 traffic with a custom RC4 variant.(Citation: ESET RTM Feb 2017) |
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
RTM can delete all files created during its execution.(Citation: ESET RTM Feb 2017)(Citation: Unit42 Redaman January 2019) |
| .009 | Indicator Removal: Clear Persistence |
RTM has the ability to remove Registry entries that it created for persistence.(Citation: ESET RTM Feb 2017) |
||
| Enterprise | T1056 | .001 | Input Capture: Keylogging |
RTM can record keystrokes from both the keyboard and virtual keyboard.(Citation: ESET RTM Feb 2017)(Citation: Unit42 Redaman January 2019) |
| Enterprise | T1559 | .002 | Inter-Process Communication: Dynamic Data Exchange |
RTM can search for specific strings within browser tabs using a Dynamic Data Exchange mechanism.(Citation: ESET RTM Feb 2017) |
| Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
RTM has named the scheduled task it creates "Windows Update".(Citation: Unit42 Redaman January 2019) |
| Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
RTM has been delivered via spearphishing attachments disguised as PDF documents.(Citation: Unit42 Redaman January 2019) |
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
RTM tries to add a scheduled task to establish persistence.(Citation: ESET RTM Feb 2017)(Citation: Unit42 Redaman January 2019) |
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
RTM can obtain information about security software on the victim.(Citation: ESET RTM Feb 2017) |
| Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
RTM samples have been signed with a code-signing certificates.(Citation: ESET RTM Feb 2017) |
| .004 | Subvert Trust Controls: Install Root Certificate |
RTM can add a certificate to the Windows store.(Citation: ESET RTM Feb 2017)(Citation: Unit42 Redaman January 2019) |
||
| Enterprise | T1218 | .011 | System Binary Proxy Execution: Rundll32 |
RTM runs its core DLL file using rundll32.exe.(Citation: ESET RTM Feb 2017)(Citation: Unit42 Redaman January 2019) |
| Enterprise | T1204 | .002 | User Execution: Malicious File |
RTM has relied on users opening malicious email attachments, decompressing the attached archive, and double-clicking the executable within.(Citation: Unit42 Redaman January 2019) |
| Enterprise | T1102 | .001 | Web Service: Dead Drop Resolver |
RTM has used an RSS feed on Livejournal to update a list of encrypted C2 server names. RTM has also hidden Pony C2 server IP addresses within transactions on the Bitcoin and Namecoin blockchain.(Citation: ESET RTM Feb 2017)(Citation: CheckPoint Redaman October 2019)(Citation: Unit42 Redaman January 2019) |
References
- Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
- Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020.
- Eisenkraft, K., Olshtein, A. (2019, October 17). Pony’s C&C servers hidden inside the Bitcoin blockchain. Retrieved June 15, 2020.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.