Security researchers have uncovered how TA505, a cyber-crime group composed of Russian-speaking members, has been leveraging a legitimate remote administration tool called ‘Remote Manipulator system’ to target major retailers and financial organisations in the United States, Chile, India, Italy, Malawi, Pakistan, and South Korea.
According to researchers at CyberInt, TA505 has been active since at least 2014, distributing powerful banking trojans such as Dridex and Shifu, and has been using tried-and-tested tactics, techniques, and procedures that are easily available in Russian-language forum discussions and tutorials against high-value targets.
They noted that TA505, and also some other cyber-crime groups, have been trying to gain access to systems containing valuable data by leveraging legitimate remote access tools that enable them to conduct reconnaissance and lateral movement within a victim network.
At the same time, the group has also been using logos, language, and terminology consistent with the target organisation in phishing emails to lure employees into downloading malicious attachments that advise them to disable security controls before executing macros. These macros download malicious payloads from the group's remote command-and-control (C2) infrastructure that masquerades as legitimate domains.
In many cases, the initial payload is the legitimate remote access tool called ‘Remote Manipulator system’ along with supporting shell scripts (BAT) and configuration files. Once downloaded, the RMS executable attempts to connect with its C2 infrastructure and once a connection is established, it downloads additional payloads to take control over the targeted device.
According to CyberInt researchers, the legitimate remote access tool was used to target several retailers in the United States in November last year and was again used to target financial organisations in Chile, India, Italy, Malawi, Pakistan and South Korea with some organisations in China, Great Britain, France and the United States also reporting similar attacks.
As the RMS executable is legitimate, it is not detected or flagged by a vast majority of anti-malware tools and therefore, organisations are mostly reliant on their employees to detect phishing emails to prevent hacker groups such as TA505 from downloading malicious payload into their systems.
Commenting on the activities of TA505, Richard Cassidy, director of Sales Engineering at Exabeam, told SC Magazine UK that it's no surprise that we’re still seeing the same old tactics, techniques and procedures being used to great effect by threat actors. As an industry, organisations are faced with far too many data-sets, from far too many disparate tools, that simply overwhelms security, compliance, and risk management teams.
"The challenge is, the security practices many implement today rely far too much on what is known, as opposed to what is unknown. Adversarial techniques rely on negligence or ignorance, both on part of the user and the security system implemented to protect data or assets. Reducing complexity and increasing the use of automation is the approach we’ve got to start taking to security and risk management overall.
"People and processes can only achieve so much and in a modern day highly automated attack landscape, we’ve got to look to how we can better utilise our existing data-sets to find anomalies that present true business risk, as opposed to attributing further to the alert fatigue problem.
"This is only possible through machine learning functions and advanced analytics approach, to automate investigation and response tasks, allowing us to gain the upper hand in risk management, when faced with RAT, Phishing or malware activity across our organisations," he added.
Naaman Hart, cloud services security architect at Digital Guardian, says that in cases where legitimate tools are being used, the focus should be on protecting and restricting privileged credentials as without credentials, remote admin tools are worthless and the hackers struggle to move laterally within the business.
"This is why these attacks start with phishing as a means to gain a credential that can be used to start wreaking havoc or simply as a stepping stone to access a more privileged credential. Ultimately passwords are a flawed mechanism only made better by introducing a secondary authentication mechanism via two-factor authentication.
"Password vaulting is one solution to this whereby an individual account and it’s password are never known to the individual. Access to the vault itself is via a single account with one password to remember and a secondary authentication method. As there is only one account to remember it can be made more secure and it can be bound in a physical means to the individual," he adds.