Two sentences: Cyble CRIL observed a phishing campaign targeting Russian users that mirrors banned apps (ExpressVPN, WeChat, Skype) to deliver a Remote Management System (RMS) payload. The RMS tool—a legitimate remote administration utility—has been linked to TA505 in the past and could enable further malware deployment after initial access. #ExpressVPN #WeChat #Skype #RMS #TA505
Keypoints
- Phishing campaigns are leveraging apps banned in specific regions (e.g., Russia) to lure victims.
- Phishing sites impersonate ExpressVPN, WeChat, and Skype to distribute RMS payloads.
- All phishing sites deliver the same RMS executable, implying a single actor or coordinated group.
- RMS is a legitimate remote administration tool used by TA505 and other campaigns.
- TA505 is a Russian-speaking threat actor group with a long history of operations since 2014; this campaign might be TA505 but is not confirmed.
- After gain of initial access, RMS can enable persistence, lateral movement, and deployment of other malware; C2 communications and data exfiltration are described.
MITRE Techniques
- [T1566] Phishing – The RMS dropper reaches users via phishing sites. “phishing sites mimicking popular applications like ExpressVPN, WeChat, and Skype” and “phishing domains … delivering RMS.”
- [T1204] User Execution – The user needs to execute the malicious file downloaded manually from the phishing site. “The user needs to execute the malicious file downloaded manually from the phishing site”
- [T1059] Command and Scripting Interpreter – cmd.exe is used to collect system information. “cmd.exe is used to collect system information”
- [T1569] System Services – The RMS utility is installed as a service. “The RMS utility is installed as a service.”
- [T1072] Software Deployment Tools – The attacker is using RMS, a legitimate Remote Administration Tool. “The attacker is using RMS, a legitimate Remote Administration Tool”
- [T1543.003] Create or Modify System Process: Windows Service – Creates Windows services to repeatedly execute RMS utility. “Creates Windows services to repeatedly execute RMS utility”
- [T1027] Obfuscated Files or Information – RMS Executable packed with UPX. “RMS Executable packed with UPX”
- [T1005] Data from the Local System – The malware collects sensitive data from victim’s system. “The malware collects sensitive data from victim’s system”
- [T1132] Data Encoding – Base64 encode XML data. “Base64 encode XML data”
- [T1095] Non-Application Layer Protocol – Data is transmitted using TCP. “Sends Data using TCP”
- [T1041] Exfiltration Over C2 Channel – Exfiltration over an existing command and control channel. “Exfiltrates over an existing command and control channel”
Indicators of Compromise
- [Domain] Phishing Sites – express-vpn.fun, we-chat.info, and join-skype.com
- [SHA256] Malicious Files – 0deeb551455cc532832a4f7201fb0f85034f9f3ee1a1320e6b7b300ddaa3bb85, 3c77c16ee21ff2f584b1eb5df4882976a934d50d1d4e0886b98bf4d33fe1dccc
- [IP] C2 Servers – 77.223.124.212, 95.213.205.83
- [File Name] Host.msi, expressvpn.exe
Read more: https://cyble.com/blog/rms-tools-sneaky-comeback-phishing-campaign-mirroring-banned-applications/