Description
[RTM](https://attack.mitre.org/software/S0148) is custom malware written in Delphi. It is used by the group of the same name ([RTM](https://attack.mitre.org/groups/G0048)). Newer versions of the malware have been reported publicly as Redaman.(Citation: ESET RTM Feb 2017)(Citation: Unit42 Redaman January 2019)
External References
Techniques Used by This Malware
- T1027 — Obfuscated Files or Information
- T1027.015 — Compression
- T1033 — System Owner/User Discovery
- T1036 — Masquerading
- T1036.004 — Masquerade Task or Service
- T1053.005 — Scheduled Task
- T1056.001 — Keylogging
- T1057 — Process Discovery
- T1059.003 — Windows Command Shell
- T1070.004 — File Deletion
- T1070.009 — Clear Persistence
- T1071.001 — Web Protocols
- T1082 — System Information Discovery
- T1083 — File and Directory Discovery
- T1102.001 — Dead Drop Resolver
- T1105 — Ingress Tool Transfer
- T1106 — Native API
- T1112 — Modify Registry
- T1113 — Screen Capture
- T1115 — Clipboard Data
- T1119 — Automated Collection
- T1120 — Peripheral Device Discovery
- T1124 — System Time Discovery
- T1204.002 — Malicious File
- T1218.011 — Rundll32
- T1219 — Remote Access Tools
- T1497 — Virtualization/Sandbox Evasion
- T1518 — Software Discovery
- T1518.001 — Security Software Discovery
- T1547.001 — Registry Run Keys / Startup Folder
- T1548.002 — Bypass User Account Control
- T1553.002 — Code Signing
- T1553.004 — Install Root Certificate
- T1559.002 — Dynamic Data Exchange
- T1566.001 — Spearphishing Attachment
- T1568 — Dynamic Resolution
- T1571 — Non-Standard Port
- T1573.001 — Symmetric Cryptography