Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

4/24/2019
06:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

TA505 Abusing Legit Remote Admin Tool in String of Attacks

Russian-speaking threat group has been targeting retailers and financial institutions in the US and abroad via a spear-phishing campaign.

05/26/2019 UPDATE: This story has been updated with comments from TektonIT founder Alex Ter-Osipov.

Researchers from Cyberint have attributed a string of recent attacks against retailers and financial institutions in the United States and elsewhere to TA505, a financially motivated, Russian-speaking threat group known for distributing banking malware, exploit kits, and ransomware.

The security vendor's conclusion is based on its analysis of indicators and behaviors associated with a spear-phishing campaign that targeted US-based retailers between December 2018 and March 2019 — and subsequent attacks on financial institutions in Italy, India, Chile, and elsewhere.

The attacks have leveraged a legitimate remote administration software product and long-familiar infection tactics to try and steal from targeted victims.

For enterprise organizations, the TA505 attacks are another reminder of how cyberattackers don't always have to be very sophisticated to be very effective, says Jason Hill, lead cybersecurity researcher at Cyberint. "This is very much a case of a threat actor continuing to use tried-and-tested tactics because they work," Hill says. "They'll continue to do this so long as someone keeps falling for it."

In a recent report, Cyberint said that TA505's attacks on US-based retailers and organizations in the food and beverage industry last December began with a spear-phishing email containing a malicious Word document. When opened, the document would encourage the recipient to disable Microsoft Office's security features and try to eventually get them to download a copy of Remote Manipulator System (RMS), a legitimate remote administration tool from Russian software vendor TektonIT.

RMS is available in both a commercial and a free version and is designed to give administrators a way to remotely access and manage Microsoft Windows and Android devices. By default, the tool, like most remote admin tools, is set up to alert users when it is being installed on a system, Hill says.

But like other remote admin tools, it also gives administrators the ability to completely switch off alerts, icons, and any other indicators of its presence on a system. In its attacks, TA505 actors have been doing exactly this and making RMS as silent as possible on infected systems, Hill notes.

Eli Salem, a security analyst at Cybereason, which is also scheduled to publish a report on TA505's activities this week, says the remote admin tool gives attackers the ability to do enormous damage. "Once the attackers are inside, they can do whatever they want," Salem says. This includes extracting data, stealing credentials, downloading additional malicious payload, and lateral movement. "Once the door is open, they just need to choose what they want to do with it," he adds.

The TA505 group itself has been taking advantage of a feature in RMS that allows them to set up their own remote utilities server for communicating with and controlling infected clients. The server acts as the command-and-control (C2) server for the infected devices.

But TektonIT's RMS product also includes a feature that allows attackers to achieve the same control without having to set up a separate C2 server — which has made the software particularly popular among nonsophisticated attackers, Hill says. In fact, Cyberint has observed several other unsophisticated threat groups using RMS in attacks similar to the ones that TA505 has been executing because of how easy it is to abuse the remote admin tool.

Double-Edged Sword
Because RMS has legitimate uses, it is unlikely that antivirus and antimalware tools would typically flag its presence on a system as being necessarily malicious, he says. In addition, because of the manner in which attackers are using it, there is a possibility that some antivirus tools may detect it as potentially unwanted. Organizations can also block file hashes and communications associated with the remote admin tool, Hill says.

Cyberint researchers have also observed TA505 leverage a backdoor called ServHelper in targeted attacks against US financial organizations. Email security vendor Proofpoint reported on the threat earlier this year. ServHelper, like RMS, is downloaded via malicious macros in spear-phishing emails and comes in two forms: one that enables remote desktop functions and another that acts as a downloader for additional malware.

For enterprise organizations, the advice is the same as it has been with any phishing-related threat for the past several years.

"As an initial preventive measure, organizations must inform employees not to open any mail they receive because social engineering is still a very powerful tool that attackers tend to use," Salem says. "Second, organizations need to keep an eye on any activity that seems out of the norm, even in seemingly legitimate and certified files or in processes that are legitimate in nature."

UPDATE
Alex Ter-Osipov, founder of TektonIT, says Cyberint has not made it clear that TA505 and others are using hacked, modified versions of RMS in their attacks. It is not possible to completely hide legitimately purchased versions of RMS on a system, he says.

"The official out-of-the-box version won't allow hackers to hide its tray icon in the system tray or disable changing the icon color when a live remote session is in progress," Ter-Osipov says. "If an RMS installed on a victim's PC allows hiding its presence to the user, then it is a modified/patched version built by hackers" with the sole idea of gaining illegitimate access to systems.

Cyberint's Hill says the company will review Ter-Osipov's laims and see whether an update is appropriate. "Given the widespread abuse of the tool, ultimately I think that it is a case of organizations assessing their own risk appetite and determining if this is something that they want to allow to run on their networks," he says.

Related Content:

 

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16772
PUBLISHED: 2019-12-07
The serialize-to-js NPM package before version 3.0.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.to...
CVE-2019-9464
PUBLISHED: 2019-12-06
In various functions of RecentLocationApps.java, DevicePolicyManagerService.java, and RecognitionService.java, there is an incorrect warning indicating an app accessed the user's location. This could dissolve the trust in the platform's permission system, with no additional execution privileges need...
CVE-2019-2220
PUBLISHED: 2019-12-06
In checkOperation of AppOpsService.java, there is a possible bypass of user interaction requirements due to mishandling application suspend. This could lead to local information disclosure no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVers...
CVE-2019-2221
PUBLISHED: 2019-12-06
In hasActivityInVisibleTask of WindowProcessController.java there?s a possible bypass of user interaction requirements due to incorrect handling of top activities in INITIALIZING state. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction ...
CVE-2019-2222
PUBLISHED: 2019-12-06
n ihevcd_parse_slice_data of ihevcd_parse_slice.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android...