RMS Tool’s Sneaky Comeback: Phishing Campaign Mirroring Banned Applications – Cyble

Key Takeaways

• Threat Actors (TAs) have increasingly employed phishing campaigns based on applications banned in specific countries or regions.
• In a recent case targeting Russian users, TAs crafted phishing sites mimicking popular applications such as ExpressVPN, WeChat, and Skype, all of which are prohibited in Russia.
• Intriguingly, these sites were used to distribute the same RMS (Remote Management System) executable, a legitimate remote administration tool.
• The presence of the Russian language in the malware binary suggests the TA’s potential Russian origin.
• In the past, TA505 has reportedly employed RMS (Remote Manipulator System) to gain initial access in their cyber operations. TA505, a Russian-speaking threat actor group, has been operational since 2014 and has a history of targeting a wide range of sectors worldwide.
• It’s possible that this campaign might be executed by TA505, although we can’t be certain about it.
• After gaining initial access, the TA could potentially employ other malware families for activities such as stealing sensitive information, etc.

Overview

Lately, there has been a trend among TAs where they appear to be adapting their tactics to exploit the allure of applications banned in specific regions, potentially making users more susceptible to cyberattacks. These campaigns appear to be cleverly designed to exploit users’ cravings to use these restricted apps, potentially leaving them vulnerable to cyberattacks. An example of this was seen in a recent campaign where Chinese users were targeted through a counterfeit Telegram installer.

Cyble Research and Intelligence Labs (CRIL) recently observed a campaign aimed at Russian users, where TAs crafted phishing websites that mimicked popular applications like ExpressVPN, WeChat, and Skype. All these applications are not accessible in Russia due to nationwide restrictions.

We observed the following phishing domains, which were delivering RMS. These phishing sites pretend to be hosting legitimate applications for different Operating Systems (OS) while they actually spread malicious applications.

• express-vpn[.]fun. This phishing site has cloned the ExpressVPN site, which provides VPN services.

• we-chat[.]info. This site impersonates WeChat – a Chinese instant messaging and social media application.

• join-skype[.]com. This phishing site appears to be inviting users to a group named “Nazi”. This suggests that TA might be spreading this link via emails or chat applications.

The consistent delivery of the same RMS (Remote Manipulator System) executable across all these phishing sites strongly indicates that a single Threat Actor (TA) or a closely coordinated group was indeed responsible for orchestrating these attacks. RMS is a legitimate tool designed by a Russian organization, Tekton Inc., for remote administration, but several TAs have been spotted in the past leveraging this to get initial access.

Notably, in the past, TA505 has been linked to the use of RMS in their cyber operations. TA505 is a Russian-speaking threat actor group that has been actively operating since 2014, establishing itself as a significant player in the global cybercrime landscape. TA505 utilized RMS to infiltrate networks and bypass conventional security measures. They achieve this through phishing emails that contain malicious Microsoft Office documents backed by effective social engineering techniques.  

Technical Analysis

Dropper

The identified phishing sites distributed either a malicious Self-extracting archive (SFX) or directly provided an RMS binary. The SFX files are typically used to simplify the extraction of files from an archive, eliminating the need for external software or utilities.

SFX archives offer customization options for the extraction and installation process. Users can set installation paths, configure options, and control the appearance of the installation interface. Threat actors (TAs) exploit this feature, using SFX archives to hide their malicious payloads, making them appear as legitimate software installers. This deceptive tactic is a well-known technique employed by cybercriminals to disguise their malicious payloads and deceive users into executing them, often by making the SFX files seem like genuine software installations.

In one notable instance within this campaign, the ExpressVPN phishing site downloads an SFX archive when the user clicks on the “Download VPN” button. This SFX archive file is designed to impersonate a legitimate ExpressVPN installer while covertly delivering a malicious payload When execution.

Upon execution, the SFX file (SHA256: 0deeb551455cc532832a4f7201fb0f85034f9f3ee1a1320e6b7b300ddaa3bb85) writes the following data to Registry key “HKCUSoftwareWinRAR SFX”. This registry key contains data related to the functionality of an SFX archive, such as the name and location where the archived content will be dropped, etc.

• C:UsersUser_nameAppDataLocalTempexpressvpn_windows_12.58.0.4_release

The figure below shows the entry made to the system’s registry.

This SFX file further creates a folder named “expressvpn_windows_12.58.0.4_release” in the %temp% folder and drops the following files:

• expressvpn.exe: This file is an RMS executable.
• expressvpn_windows_12.58.0.4_release.exe: This file is a clean ExpressVPN installer.

The figure below shows the content of the SFX archive and its script.

After dropping the files in the %temp% directory, the SFX file executes an RMS executable quietly in the background to conceal its presence from the users. It complements this operation by executing the ExpressVPN installation wizard in the foreground, using it as a decoy to distract and mislead users, as shown in the figure below.

 The figure below shows the process tree.

RMS Executable

RMS is a legitimate remote administration tool and has been leveraged in various campaigns, including those conducted by TA505, as well as numerous smaller campaigns that may be attributed to different TAs. This tool is not only available for commercial use but is also free for non-commercial purposes. It supports remote administration for Microsoft Windows, Linux, MacOS, iOS and Android devices. It enables capabilities such as remote control, desktop sharing, file transfers, etc. The figure below shows the version details of the RMS used in this campaign.

Upon execution, the RMS executable “expressvpn.exe” creates a folder named:

MSI_ { A string of 32 characters which consists of Alphanumeric characters and -}

in the %temp% directory and drops an installer file named “host.msi” in it.

Now, it executes the installer file using msiexec.exe with the “-qn” command line option, leading to the silent installation of the MSI package located at the specified path without displaying any user interface dialogs and drops RMS related files in the “C:Program Files (x86)Remote Manipulator System – Host” directory, as shown in the figure below.

Subsequently, it creates a Windows service by adding the “RManService” registry key in “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices“, as shown below.

The file named “rutserv.exe” mentioned in Figure 10 is an RMS utility. It further creates processes such as “rfusclient.exe” and “drvinstaller64.exe”, which help in establishing a remote connection. The figure below shows the processes created by the RMS remote utility file.

RMS Configuration

The configuration of the RMS client is added as hex-encoded XML data to the following Registry Key:

The figure below shows the hex-encoded configuration data. This configuration data consists of data required for operations such as data transmission, email notifications, remote access,  screen recording, etc.

The configuration data is divided into different sections. Following is an overview of the information contained in each of these sections:

• rms_inet_id_notification:

This section contains settings related to internet identification, email notifications, and other related configurations. It includes settings such as generating a new ID, sending notifications to an email address, SMTP settings, and more.

• security_settings:

This section contains security settings, including password hashes, user access lists, IP filter settings, and various options to control remote access and permissions etc. The figure below shows the security settings.

• general_settings:

This section includes general settings for the RMS, such as port configurations, language preferences, callback settings, and notification preferences. The figure below shows the general settings.

• rms_internet_id_settings:

This section contains data related to internet ID settings, including port configurations and PIN-related options.

• certificte_settings:

This section contains certificate-related settings, including certificates and private keys. The figure below shows the certificate settings.

• sreen_record_option:

This section is related to screen recording options, including settings for intervals, quality, compression, and file management. The figure below shows the screen record options.

• local_settings:

This section consists of local settings, including options related to WDDM (Windows Display Driver Model) downgrades.

Exfiltration

RMS incorporates an ‘Internet-ID’ functionality, which establishes a connection with the developers’ servers and triggers an email notification. In the notification email, the victim’s username and device name are included, alongside the internet ID and the necessary password for remote administration. This feature lowers the barrier for less sophisticated TAs by simplifying the attack process.

The figure below shows the decoded configuration data, which consists of the TA’s smtp settings.

The notification email is dispatched using the SMTP protocol. It establishes a connection with the IP address “31.31.194.65,” which resolves to “mail.hosting.reg.ru.” Other Command and Control (C&C) communications over TCP are utilized to transmit the victim’s data. The figure below shows the network connections made by the RMS remote utility.

The victim data is transmitted in Base64-encoded XML format. This data is sent to two IP addresses, namely 77.223.124.212 and 95.213.205.83, both over port 5655. The figure below shows the encoded data sent to the C&C server. 

The structure of the XML data sent to the C&C server resembles the configuration data stored in the registry. This data consists of the victim’s country code, device name, OS details, and a flag variable, which is set to true if the RMS client is executed with administrator privileges. The figure below shows the decoded data.

Conclusion

The utilization of legitimate remote administration tools by TAs has become a prevailing trend in the cybersecurity landscape. These tools offer a convenient cloak of legitimacy, allowing TAs to blend in with regular network traffic while conducting their activities undetected. The advantage they provide lies in their ability to circumvent traditional security measures and gain unauthorized access to systems and networks.

The combination of a free version and multi-OS support makes RMS an appealing tool for both legitimate users seeking remote administration solutions and malicious actors looking for versatile means to infiltrate and compromise a wide array of systems.

Once they have gained initial access to a network, TAs can employ this tool to facilitate lateral movement, establish persistence, and disseminate other malware families like ransomware and data wipers.

Our Recommendations

• Implement application whitelisting to restrict the execution of unknown or unapproved applications, including remote administration tools, on endpoints.
• Periodically review the list of services running on your systems, paying close attention to any service named “RManService”. If you have any doubts about its authenticity, consider disabling or removing it.
• Implement network traffic monitoring and analysis tools to inspect outbound traffic, especially on port 5655. Set up alerts for unusual or suspicious traffic patterns, which may indicate communication with a C&C server.

MITRE ATT&CK® Techniques

Tactic	Technique	Procedure
Initial Access (TA0001)	Phishing (T1566)	The RMS dropper reaches users via phishing sites.
Execution  (TA0002)	User Execution (T1204)	The user needs to execute the malicious file downloaded manually from the phishing site
Execution  (TA0002)	Command and Scripting Interpreter (T1059)	cmd.exe is used to collect system information
Execution  (TA0002)	System Services (T1569)	The RMS utility is installed as a service.
Execution  (TA0002)	Software Deployment Tools (T1072)	The attacker is using RMS, a legitimate Remote Administration Tool
Persistence (TA0003)	Create or Modify System Process: Windows Service (T1543.003)	Creates Windows services to repeatedly execute RMS utility
Defense Evasion (TA0005)	Obfuscated Files or Information (T1027)	RMS Executable packed with UPX
Collection (TA0009)	Data from the Local System (T1005)	The malware collects sensitive data from victim’s system
Command and Control (TA0011)	Data Encoding (T1132)	Base64 encode XML data
Command and Control (TA0011)	Non-Application Layer Protocol (T1095)	Sends Data using TCP
Exfiltration (TA0010)	Exfiltration Over C2 Channel (T1041)	Exfiltrates over an existing command and control channel

Indicators	Indicator Type	Description
express-vpn[.]fun	Domain	Phishing Site
we-chat[.]info	Domain	Phishing Site
join-skype[.]com	Domain	Phishing Site
0deeb551455cc532832a4f7201fb0f85034f9f3ee1a1320e6b7b300ddaa3bb85	SHA256	Installer.exe
3c77c16ee21ff2f584b1eb5df4882976a934d50d1d4e0886b98bf4d33fe1dccc	SHA256	Malicious Executable
a5a34195a4db94f212535d5182a044d74fe67b31a3e50d7d26148e6d1a103793	SHA256	Host.msi
77.223.124[.]212	IP	C&C
95.213.205[.]83	IP	C&C

Related

Source: https://cyble.com/blog/rms-tools-sneaky-comeback-phishing-campaign-mirroring-banned-applications/