Description
[RTM](https://attack.mitre.org/groups/G0048) is a cybercriminal group that has been active since at least 2015 and is primarily interested in users of remote banking systems in Russia and neighboring countries. The group uses a Trojan by the same name ([RTM](https://attack.mitre.org/software/S0148)). (Citation: ESET RTM Feb 2017)
Techniques Used (TTPs)
- T1189 — Drive-by Compromise (initial-access)
- T1547.001 — Registry Run Keys / Startup Folder (persistence, privilege-escalation)
- T1574.001 — DLL (persistence, privilege-escalation, defense-evasion)
- T1204.002 — Malicious File (execution)
- T1566.001 — Spearphishing Attachment (initial-access)
- T1219.002 — Remote Desktop Software (command-and-control)
- T1102.001 — Dead Drop Resolver (command-and-control)
Total TTPs: 7
Malware & Tools
Malware: RTM