TA505 Hackers Group Modifies Remote administrative tools to attack victims in the United States

Hacker Group

Threatened TA505 hacking groups performing new wave attacks by changing the legitimate remote manager tool to the weaponized hacker that targets American dealers and various European, APAC and LATAM financial institutions.

The TA505 group was said to reside in Russia and the threats from this group were involved in several high level cyber-attacks, including the infamous Dridex, the Locky ransomware, the ServHelper malware and the FlawedAmmyy.

This organized cyber-crime group focuses mainly on victims for financial incentives by having access to its system to carry out fraudulent financial transactions.

To accomplish these objectives, threats actors abuse remote control system, a legitimate remote administration tool based in Russian that is available for commercial and non-commercial purposes in free versions.

The cracked version of the RMS tool In underground forums, the threat actors are provided with TA505, including the multi-monitor remote control, task handling, file transfer, command-line interface, network mapping capabilities, Webcam, and Microphone access features all of which are common features of well-developed Remote Access Trojan, Specialized forum.

According to cyberit report, This RU support three roles that can be deployed individually or together, although one by one, the Relay server would likely be utilized in nefarious implementations.

This Relay severs act as an intermediatory with compromised RMS clients calling home to it and identifying themselves with their “internet-ID” facilitating communications that allows firewall and NAT devices to be bypassed.

Remote Access

Most Trojans can communicate via command & control server to their operator. Likewise, RMS has a’ ID-Internet’ feature that enables communications with the developer’s server to e-mail a notification used by less advanced threats players.

This feature is combined with the ability to silently install and operate the tool, making it the best solution for sophisticated and unproven actors.

However, it encourages highly complex actors like TA505 through the support of “self-hosting” options which allow them to set up their own Remote Utilities (RU) server.

The attackers carry out a spear-phishing campaign using a legitimate conversation, logo and terminology, and provide attached pull documents, trick the victims to open it.

Once victims open the documents, they are directed to deactivate the macro’s security checks, which attempt to download malicious payloads from the attackers through their command and control infrastructure.

Most of the C2 server domains are legit domains, but Microsoft Office 365 is a slight misleader of cloud.

The original malware uploader is better and robust than the other component, including remote access trojan, legitimate RMS tool, shell scripts and servers, used primarily for the purpose of collecting financial data.

You can also read the configuration steps of the RMS tool, technical information on infections, and compromise indicators here.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.