Recently, threat actors have adapted tactics, exploiting the appeal of banned apps in specific regions, making users more susceptible to cyberattacks through cleverly crafted campaigns.
In a recent campaign, Chinese users were lured with a fake Telegram installer to illustrate this tactic.
Cybersecurity researchers at CRIL (Cyble Research and Intelligence Labs) noted a campaign targeting Russian users, where threat actors created phishing sites mimicking restricted apps like-
Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware
Experts identified the following phishing domains delivering RMS, disguising as legitimate OS applications but distributing malware:-
- express-vpn[.]fun
- we-chat[.]info
- join-skype[.]com
Threat Actors Employ Remote Admin Tools
The consistent use of the same RMS executable across these phishing sites strongly suggests a single or closely coordinated threat actor group was behind these attacks.
The phishing sites distributed either a malicious Self-extracting archive (SFX) or an RMS binary. For instance, the ExpressVPN phishing site in this campaign downloads an SFX archive that mimics a genuine installer but delivers malware upon execution.
After execution, the SFX file modifies the ‘HKCUSoftwareWinRAR SFX’ Registry key and creates a ‘expressvpn_windows_12.58.0.4_release’ folder in %temp% with specific files:-
- expressvpn.exe: This file is an RMS executable.
- expressvpn_windows_12.58.0.4_release.exe: This file is a clean ExpressVPN installer.
The SFX file quietly runs an RMS executable in the background while simultaneously using the ExpressVPN installation wizard as a decoy to divert and confuse users.
RMS, initially a legitimate tool, has been used in campaigns by TA505 and other threat actors. It’s free for non-commercial use and supports remote administration across multiple platforms, offering features like remote control and file transfers.
After execution, ‘expressvpn.exe’ creates a unique folder in %temp%, drops ‘host.msi,’ silently installs it via msiexec.exe, and places RMS files in ‘C:Program Files (x86)Remote Manipulator System – Host’.
The RMS client configuration is hex-encoded in a Registry Key and includes data for functions like:-
- Data transmission
- Email alerts
- Remote access
- Screen recording
The configuration data is organized into distinct sections, and here below, we have mentioned those sections:-
- rms_inet_id_notification
- security_settings
- general_settings
- rms_internet_id_settings
- certificte_settings
- sreen_record_option
- local_settings
RMS includes ‘Internet-ID’ for connecting to developer servers, sending an email notification containing victim details and remote access credentials, making attacks more accessible for less sophisticated threat actors.
The notification email, sent via SMTP to “31.31.194.65” (resolved as “mail.hosting.reg.ru”), initiates C&C communications over TCP to transmit victim data.
Victim data, in Base64-encoded XML, goes to IP addresses 77.223.124.212 and 95.213.205.83 via port 5655. It mirrors registry-stored configuration data, including country code, device name, OS details, and an admin privilege flag.
Recommendations
Here below we have mentioned all the recommendations:-
- Enforce application whitelisting to limit unapproved app execution, including remote admin tools, on endpoints.
- Regularly check your system’s services list, especially for “RManService.” If unsure, consider disabling or removing it.
- Use network traffic tools to monitor outbound traffic, especially on port 5655, and set alerts for unusual patterns that could signal C&C server communication.
Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.