05/26/2019 UPDATE: This story has been updated with comments from TektonIT founder Alex Ter-Osipov.
Researchers from Cyberint have attributed a string of recent attacks against retailers and financial institutions in the United States and elsewhere to TA505, a financially motivated, Russian-speaking threat group known for distributing banking malware, exploit kits, and ransomware.
The security vendor's conclusion is based on its analysis of indicators and behaviors associated with a spear-phishing campaign that targeted US-based retailers between December 2018 and March 2019 — and subsequent attacks on financial institutions in Italy, India, Chile, and elsewhere.
The attacks have leveraged a legitimate remote administration software product and long-familiar infection tactics to try and steal from targeted victims.
For enterprise organizations, the TA505 attacks are another reminder of how cyberattackers don't always have to be very sophisticated to be very effective, says Jason Hill, lead cybersecurity researcher at Cyberint. "This is very much a case of a threat actor continuing to use tried-and-tested tactics because they work," Hill says. "They'll continue to do this so long as someone keeps falling for it."
In a recent report, Cyberint said that TA505's attacks on US-based retailers and organizations in the food and beverage industry last December began with a spear-phishing email containing a malicious Word document. When opened, the document would encourage the recipient to disable Microsoft Office's security features and try to eventually get them to download a copy of Remote Manipulator System (RMS), a legitimate remote administration tool from Russian software vendor TektonIT.
RMS is available in both a commercial and a free version and is designed to give administrators a way to remotely access and manage Microsoft Windows and Android devices. By default, the tool, like most remote admin tools, is set up to alert users when it is being installed on a system, Hill says.
But like other remote admin tools, it also gives administrators the ability to completely switch off alerts, icons, and any other indicators of its presence on a system. In its attacks, TA505 actors have been doing exactly this and making RMS as silent as possible on infected systems, Hill notes.
Eli Salem, a security analyst at Cybereason, which is also scheduled to publish a report on TA505's activities this week, says the remote admin tool gives attackers the ability to do enormous damage. "Once the attackers are inside, they can do whatever they want," Salem says. This includes extracting data, stealing credentials, downloading additional malicious payload, and lateral movement. "Once the door is open, they just need to choose what they want to do with it," he adds.
The TA505 group itself has been taking advantage of a feature in RMS that allows them to set up their own remote utilities server for communicating with and controlling infected clients. The server acts as the command-and-control (C2) server for the infected devices.
But TektonIT's RMS product also includes a feature that allows attackers to achieve the same control without having to set up a separate C2 server — which has made the software particularly popular among nonsophisticated attackers, Hill says. In fact, Cyberint has observed several other unsophisticated threat groups using RMS in attacks similar to the ones that TA505 has been executing because of how easy it is to abuse the remote admin tool.
Because RMS has legitimate uses, it is unlikely that antivirus and antimalware tools would typically flag its presence on a system as being necessarily malicious, he says. In addition, because of the manner in which attackers are using it, there is a possibility that some antivirus tools may detect it as potentially unwanted. Organizations can also block file hashes and communications associated with the remote admin tool, Hill says.
Cyberint researchers have also observed TA505 leverage a backdoor called ServHelper in targeted attacks against US financial organizations. Email security vendor Proofpoint reported on the threat earlier this year. ServHelper, like RMS, is downloaded via malicious macros in spear-phishing emails and comes in two forms: one that enables remote desktop functions and another that acts as a downloader for additional malware.
For enterprise organizations, the advice is the same as it has been with any phishing-related threat for the past several years.
"As an initial preventive measure, organizations must inform employees not to open any mail they receive because social engineering is still a very powerful tool that attackers tend to use," Salem says. "Second, organizations need to keep an eye on any activity that seems out of the norm, even in seemingly legitimate and certified files or in processes that are legitimate in nature."
Alex Ter-Osipov, founder of TektonIT, says Cyberint has not made it clear that TA505 and others are using hacked, modified versions of RMS in their attacks. It is not possible to completely hide legitimately purchased versions of RMS on a system, he says.
"The official out-of-the-box version won't allow hackers to hide its tray icon in the system tray or disable changing the icon color when a live remote session is in progress," Ter-Osipov says. "If an RMS installed on a victim's PC allows hiding its presence to the user, then it is a modified/patched version built by hackers" with the sole idea of gaining illegitimate access to systems.
Cyberint's Hill says the company will review Ter-Osipov's laims and see whether an update is appropriate. "Given the widespread abuse of the tool, ultimately I think that it is a case of organizations assessing their own risk appetite and determining if this is something that they want to allow to run on their networks," he says.
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.