Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

4/24/2019
06:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

TA505 Abusing Legit Remote Admin Tool in String of Attacks

Russian-speaking threat group has been targeting retailers and financial institutions in the US and abroad via a spear-phishing campaign.

05/26/2019 UPDATE: This story has been updated with comments from TektonIT founder Alex Ter-Osipov.

Researchers from Cyberint have attributed a string of recent attacks against retailers and financial institutions in the United States and elsewhere to TA505, a financially motivated, Russian-speaking threat group known for distributing banking malware, exploit kits, and ransomware.

The security vendor's conclusion is based on its analysis of indicators and behaviors associated with a spear-phishing campaign that targeted US-based retailers between December 2018 and March 2019 — and subsequent attacks on financial institutions in Italy, India, Chile, and elsewhere.

The attacks have leveraged a legitimate remote administration software product and long-familiar infection tactics to try and steal from targeted victims.

For enterprise organizations, the TA505 attacks are another reminder of how cyberattackers don't always have to be very sophisticated to be very effective, says Jason Hill, lead cybersecurity researcher at Cyberint. "This is very much a case of a threat actor continuing to use tried-and-tested tactics because they work," Hill says. "They'll continue to do this so long as someone keeps falling for it."

In a recent report, Cyberint said that TA505's attacks on US-based retailers and organizations in the food and beverage industry last December began with a spear-phishing email containing a malicious Word document. When opened, the document would encourage the recipient to disable Microsoft Office's security features and try to eventually get them to download a copy of Remote Manipulator System (RMS), a legitimate remote administration tool from Russian software vendor TektonIT.

RMS is available in both a commercial and a free version and is designed to give administrators a way to remotely access and manage Microsoft Windows and Android devices. By default, the tool, like most remote admin tools, is set up to alert users when it is being installed on a system, Hill says.

But like other remote admin tools, it also gives administrators the ability to completely switch off alerts, icons, and any other indicators of its presence on a system. In its attacks, TA505 actors have been doing exactly this and making RMS as silent as possible on infected systems, Hill notes.

Eli Salem, a security analyst at Cybereason, which is also scheduled to publish a report on TA505's activities this week, says the remote admin tool gives attackers the ability to do enormous damage. "Once the attackers are inside, they can do whatever they want," Salem says. This includes extracting data, stealing credentials, downloading additional malicious payload, and lateral movement. "Once the door is open, they just need to choose what they want to do with it," he adds.

The TA505 group itself has been taking advantage of a feature in RMS that allows them to set up their own remote utilities server for communicating with and controlling infected clients. The server acts as the command-and-control (C2) server for the infected devices.

But TektonIT's RMS product also includes a feature that allows attackers to achieve the same control without having to set up a separate C2 server — which has made the software particularly popular among nonsophisticated attackers, Hill says. In fact, Cyberint has observed several other unsophisticated threat groups using RMS in attacks similar to the ones that TA505 has been executing because of how easy it is to abuse the remote admin tool.

Double-Edged Sword
Because RMS has legitimate uses, it is unlikely that antivirus and antimalware tools would typically flag its presence on a system as being necessarily malicious, he says. In addition, because of the manner in which attackers are using it, there is a possibility that some antivirus tools may detect it as potentially unwanted. Organizations can also block file hashes and communications associated with the remote admin tool, Hill says.

Cyberint researchers have also observed TA505 leverage a backdoor called ServHelper in targeted attacks against US financial organizations. Email security vendor Proofpoint reported on the threat earlier this year. ServHelper, like RMS, is downloaded via malicious macros in spear-phishing emails and comes in two forms: one that enables remote desktop functions and another that acts as a downloader for additional malware.

For enterprise organizations, the advice is the same as it has been with any phishing-related threat for the past several years.

"As an initial preventive measure, organizations must inform employees not to open any mail they receive because social engineering is still a very powerful tool that attackers tend to use," Salem says. "Second, organizations need to keep an eye on any activity that seems out of the norm, even in seemingly legitimate and certified files or in processes that are legitimate in nature."

UPDATE
Alex Ter-Osipov, founder of TektonIT, says Cyberint has not made it clear that TA505 and others are using hacked, modified versions of RMS in their attacks. It is not possible to completely hide legitimately purchased versions of RMS on a system, he says.

"The official out-of-the-box version won't allow hackers to hide its tray icon in the system tray or disable changing the icon color when a live remote session is in progress," Ter-Osipov says. "If an RMS installed on a victim's PC allows hiding its presence to the user, then it is a modified/patched version built by hackers" with the sole idea of gaining illegitimate access to systems.

Cyberint's Hill says the company will review Ter-Osipov's laims and see whether an update is appropriate. "Given the widespread abuse of the tool, ultimately I think that it is a case of organizations assessing their own risk appetite and determining if this is something that they want to allow to run on their networks," he says.

Related Content:

 

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/1/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-10136
PUBLISHED: 2020-06-02
Multiple products that implement the IP Encapsulation within IP standard (RFC 2003, STD 1) decapsulate and route IP-in-IP traffic without any validation, which could allow an unauthenticated remote attacker to route arbitrary traffic via an exposed network interface and lead to spoofing, access cont...
CVE-2020-13757
PUBLISHED: 2020-06-01
Python-RSA 4.0 ignores leading '\0' bytes during decryption of ciphertext. This could conceivably have a security-relevant impact, e.g., by helping an attacker to infer that an application uses Python-RSA, or if the length of accepted ciphertext affects application behavior (such as by causing exces...
CVE-2020-13758
PUBLISHED: 2020-06-01
modules/security/classes/general.post_filter.php/post_filter.php in the Web Application Firewall in Bitrix24 through 20.0.950 allows XSS by placing %00 before the payload.
CVE-2020-9291
PUBLISHED: 2020-06-01
An Insecure Temporary File vulnerability in FortiClient for Windows 6.2.1 and below may allow a local user to gain elevated privileges via exhausting the pool of temporary file names combined with a symbolic link attack.
CVE-2019-15709
PUBLISHED: 2020-06-01
An improper input validation in FortiAP-S/W2 6.2.0 to 6.2.2, 6.0.5 and below, FortiAP-U 6.0.1 and below CLI admin console may allow unauthorized administrators to overwrite system files via specially crafted tcpdump commands in the CLI.