Threat Actors Employ Remote Admin Tools to Gain Access

Last Updated: October 30, 2023By

Threat Actors Employ Remote Admin Tools to Gain Access over Corporate Networks

Recently, threat actors have adapted tactics, exploiting the appeal of banned apps in specific regions, making users more susceptible to cyberattacks through cleverly crafted campaigns.

In a recent campaign, Chinese users were lured with a fake Telegram installer to illustrate this tactic.

Cybersecurity researchers at CRIL (Cyble Research and Intelligence Labs) noted a campaign targeting Russian users, where threat actors created phishing sites mimicking restricted apps like-



Document

FREE Demo

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware


Experts identified the following phishing domains delivering RMS, disguising as legitimate OS applications but distributing malware:-

  • express-vpn[.]fun
  • we-chat[.]info
  • join-skype[.]com

Threat Actors Employ Remote Admin Tools

The consistent use of the same RMS executable across these phishing sites strongly suggests a single or closely coordinated threat actor group was behind these attacks.

The phishing sites distributed either a malicious Self-extracting archive (SFX) or an RMS binary. For instance, the ExpressVPN phishing site in this campaign downloads an SFX archive that mimics a genuine installer but delivers malware upon execution.

After execution, the SFX file modifies the ‘HKCU\Software\WinRAR SFX’ Registry key and creates a ‘expressvpn_windows_12.58.0.4_release’ folder in %temp% with specific files:-

  • expressvpn.exe: This file is an RMS executable.
  • expressvpn_windows_12.58.0.4_release.exe: This file is a clean ExpressVPN installer.
SFX Archive
SFX Archive (Source – Cyble)

The SFX file quietly runs an RMS executable in the background while simultaneously using the ExpressVPN installation wizard as a decoy to divert and confuse users.

Process Tree
Process Tree (Source – Cyble)

RMS, initially a legitimate tool, has been used in campaigns by TA505 and other threat actors. It’s free for non-commercial use and supports remote administration across multiple platforms, offering features like remote control and file transfers.

After execution, ‘expressvpn.exe’ creates a unique folder in %temp%, drops ‘host.msi,’ silently installs it via msiexec.exe, and places RMS files in ‘C:\Program Files (x86)\Remote Manipulator System – Host’.

The RMS client configuration is hex-encoded in a Registry Key and includes data for functions like:- 

  • Data transmission
  • Email alerts
  • Remote access
  • Screen recording

The configuration data is organized into distinct sections, and here below, we have mentioned those sections:-

  • rms_inet_id_notification
  • security_settings
  • general_settings
  • rms_internet_id_settings
  • certificte_settings
  • sreen_record_option
  • local_settings

RMS includes ‘Internet-ID’ for connecting to developer servers, sending an email notification containing victim details and remote access credentials, making attacks more accessible for less sophisticated threat actors.

The notification email, sent via SMTP to “31.31.194.65” (resolved as “mail.hosting.reg.ru”), initiates C&C communications over TCP to transmit victim data.

Network Connections
Network Connections (Source – Cyble)

Victim data, in Base64-encoded XML, goes to IP addresses 77.223.124.212 and 95.213.205.83 via port 5655. It mirrors registry-stored configuration data, including country code, device name, OS details, and an admin privilege flag.

Recommendations

Here below we have mentioned all the recommendations:-

  • Enforce application whitelisting to limit unapproved app execution, including remote admin tools, on endpoints.
  • Regularly check your system’s services list, especially for “RManService.” If unsure, consider disabling or removing it.
  • Use network traffic tools to monitor outbound traffic, especially on port 5655, and set alerts for unusual patterns that could signal C&C server communication.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.


Source link

Leave A Comment