The TA505 group was said to reside in Russia and the threats from this group were involved in several high level cyber-attacks, including the infamous Dridex, the Locky ransomware, the ServHelper malware and the FlawedAmmyy. This organized cyber-crime group focuses mainly on victims for financial incentives by having access to its system to carry out fraudulent financial transactions. To accomplish these objectives, threats actors abuse remote control system, a legitimate remote administration tool based in Russian that is available for commercial and non-commercial purposes in free versions. The cracked version of the RMS tool In underground forums, the threat actors are provided with TA505, including the multi-monitor remote control, task handling, file transfer, command-line interface, network mapping capabilities, Webcam, and Microphone access features all of which are common features of well-developed Remote Access Trojan, Specialized forum. According to cyberit report, This RU support three roles that can be deployed individually or together, although one by one, the Relay server would likely be utilized in nefarious implementations. This Relay severs act as an intermediatory with compromised RMS clients calling home to it and identifying themselves with their “internet-ID” facilitating communications that allows firewall and NAT devices to be bypassed. Remote Access Most Trojans can communicate via command & control server to their operator. Likewise, RMS has a’ ID-Internet’ feature that enables communications with the developer’s server to e-mail a notification used by less advanced threats players. This feature is combined with the ability to silently install and operate the tool, making it the best solution for sophisticated and unproven actors. However, it encourages highly complex actors like TA505 through the support of “self-hosting” options which allow them to set up their own Remote Utilities (RU) server. The attackers carry out a spear-phishing campaign using a legitimate conversation, logo and terminology, and provide attached pull documents, trick the victims to open it. Once victims open the documents, they are directed to deactivate the macro’s security checks, which attempt to download malicious payloads from the attackers through their command and control infrastructure. Most of the C2 server domains are legit domains, but Microsoft Office 365 is a slight misleader of cloud. The original malware uploader is better and robust than the other component, including remote access trojan, legitimate RMS tool, shell scripts and servers, used primarily for the purpose of collecting financial data. You can also read the configuration steps of the RMS tool, technical information on infections, and compromise indicators here.
