Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

4/24/2019
06:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

TA505 Abusing Legit Remote Admin Tool in String of Attacks

Russian-speaking threat group has been targeting retailers and financial institutions in the US and abroad via a spear-phishing campaign.

05/26/2019 UPDATE: This story has been updated with comments from TektonIT founder Alex Ter-Osipov.

Researchers from Cyberint have attributed a string of recent attacks against retailers and financial institutions in the United States and elsewhere to TA505, a financially motivated, Russian-speaking threat group known for distributing banking malware, exploit kits, and ransomware.

The security vendor's conclusion is based on its analysis of indicators and behaviors associated with a spear-phishing campaign that targeted US-based retailers between December 2018 and March 2019 — and subsequent attacks on financial institutions in Italy, India, Chile, and elsewhere.

The attacks have leveraged a legitimate remote administration software product and long-familiar infection tactics to try and steal from targeted victims.

For enterprise organizations, the TA505 attacks are another reminder of how cyberattackers don't always have to be very sophisticated to be very effective, says Jason Hill, lead cybersecurity researcher at Cyberint. "This is very much a case of a threat actor continuing to use tried-and-tested tactics because they work," Hill says. "They'll continue to do this so long as someone keeps falling for it."

In a recent report, Cyberint said that TA505's attacks on US-based retailers and organizations in the food and beverage industry last December began with a spear-phishing email containing a malicious Word document. When opened, the document would encourage the recipient to disable Microsoft Office's security features and try to eventually get them to download a copy of Remote Manipulator System (RMS), a legitimate remote administration tool from Russian software vendor TektonIT.

RMS is available in both a commercial and a free version and is designed to give administrators a way to remotely access and manage Microsoft Windows and Android devices. By default, the tool, like most remote admin tools, is set up to alert users when it is being installed on a system, Hill says.

But like other remote admin tools, it also gives administrators the ability to completely switch off alerts, icons, and any other indicators of its presence on a system. In its attacks, TA505 actors have been doing exactly this and making RMS as silent as possible on infected systems, Hill notes.

Eli Salem, a security analyst at Cybereason, which is also scheduled to publish a report on TA505's activities this week, says the remote admin tool gives attackers the ability to do enormous damage. "Once the attackers are inside, they can do whatever they want," Salem says. This includes extracting data, stealing credentials, downloading additional malicious payload, and lateral movement. "Once the door is open, they just need to choose what they want to do with it," he adds.

The TA505 group itself has been taking advantage of a feature in RMS that allows them to set up their own remote utilities server for communicating with and controlling infected clients. The server acts as the command-and-control (C2) server for the infected devices.

But TektonIT's RMS product also includes a feature that allows attackers to achieve the same control without having to set up a separate C2 server — which has made the software particularly popular among nonsophisticated attackers, Hill says. In fact, Cyberint has observed several other unsophisticated threat groups using RMS in attacks similar to the ones that TA505 has been executing because of how easy it is to abuse the remote admin tool.

Double-Edged Sword
Because RMS has legitimate uses, it is unlikely that antivirus and antimalware tools would typically flag its presence on a system as being necessarily malicious, he says. In addition, because of the manner in which attackers are using it, there is a possibility that some antivirus tools may detect it as potentially unwanted. Organizations can also block file hashes and communications associated with the remote admin tool, Hill says.

Cyberint researchers have also observed TA505 leverage a backdoor called ServHelper in targeted attacks against US financial organizations. Email security vendor Proofpoint reported on the threat earlier this year. ServHelper, like RMS, is downloaded via malicious macros in spear-phishing emails and comes in two forms: one that enables remote desktop functions and another that acts as a downloader for additional malware.

For enterprise organizations, the advice is the same as it has been with any phishing-related threat for the past several years.

"As an initial preventive measure, organizations must inform employees not to open any mail they receive because social engineering is still a very powerful tool that attackers tend to use," Salem says. "Second, organizations need to keep an eye on any activity that seems out of the norm, even in seemingly legitimate and certified files or in processes that are legitimate in nature."

UPDATE
Alex Ter-Osipov, founder of TektonIT, says Cyberint has not made it clear that TA505 and others are using hacked, modified versions of RMS in their attacks. It is not possible to completely hide legitimately purchased versions of RMS on a system, he says.

"The official out-of-the-box version won't allow hackers to hide its tray icon in the system tray or disable changing the icon color when a live remote session is in progress," Ter-Osipov says. "If an RMS installed on a victim's PC allows hiding its presence to the user, then it is a modified/patched version built by hackers" with the sole idea of gaining illegitimate access to systems.

Cyberint's Hill says the company will review Ter-Osipov's laims and see whether an update is appropriate. "Given the widespread abuse of the tool, ultimately I think that it is a case of organizations assessing their own risk appetite and determining if this is something that they want to allow to run on their networks," he says.

Related Content:

 

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...