SYMBOLCOMMON_NAMEaka. SYNONYMS
win.rms (Back to overview)

RMS

aka: Gussdoor, Remote Manipulator System

Actor(s): TA505

URLhaus      

CyberInt states that Remote Manipulator System (RMS) is a legitimate tool developed by Russian organization TektonIT and has been observed in campaigns conducted by TA505 as well as numerous smaller campaigns likely attributable to other, disparate, threat actors. In addition to the availability of commercial licenses, the tool is free for non-commercial use and supports the remote administration of both Microsoft Windows and Android devices.

References
2020-11-05Kaspersky LabsKaspersky Lab ICS CERT, Vyacheslav Kopeytsev
@techreport{cert:20201105:attackson:62f1e26, author = {Kaspersky Lab ICS CERT and Vyacheslav Kopeytsev}, title = {{Attackson industrial enterprises using RMS and TeamViewer: new data}}, date = {2020-11-05}, institution = {Kaspersky Labs}, url = {https://ics-cert.kaspersky.com/media/Kaspersky-Attacks-on-industrial-enterprises-using-RMS-and-TeamViewer-EN.pdf}, language = {English}, urldate = {2020-11-06} } Attackson industrial enterprises using RMS and TeamViewer: new data
RMS
2019-05-29YoroiZLAB-Yoroi
@online{zlabyoroi:20190529:ta505:07b59dd, author = {ZLAB-Yoroi}, title = {{TA505 is Expanding its Operations}}, date = {2019-05-29}, organization = {Yoroi}, url = {https://blog.yoroi.company/research/ta505-is-expanding-its-operations/}, language = {English}, urldate = {2020-01-13} } TA505 is Expanding its Operations
RMS
2019CyberIntCyberInt
@techreport{cyberint:2019:legit:9925ea3, author = {CyberInt}, title = {{Legit Remote Admin Tools Turn into Threat Actors' Tools}}, date = {2019}, institution = {CyberInt}, url = {https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf}, language = {English}, urldate = {2019-12-19} } Legit Remote Admin Tools Turn into Threat Actors' Tools
RMS ServHelper TA505
2017-09-21MalwarebytesJérôme Segura
@online{segura:20170921:fake:5f5963f, author = {Jérôme Segura}, title = {{Fake IRS notice delivers customized spying tool}}, date = {2017-09-21}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/09/cve-2017-0199-used-to-deliver-modified-rms-agent-rat/}, language = {English}, urldate = {2019-12-20} } Fake IRS notice delivers customized spying tool
RMS
2016-10-11SymantecSymantec Security Response
@online{response:20161011:odinaff:bdd6f10, author = {Symantec Security Response}, title = {{Odinaff: New Trojan used in high level financial attacks}}, date = {2016-10-11}, organization = {Symantec}, url = {https://web.archive.org/web/20161223002016/https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks}, language = {English}, urldate = {2020-04-21} } Odinaff: New Trojan used in high level financial attacks
Batel FlawedAmmyy Odinaff RMS Anunak
Yara Rules
[TLP:WHITE] win_rms_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_rms_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rms"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { eb13 8b45f8 8b507c 8b450c 8b00 8b4048 e8???????? }
            // n = 7, score = 200
            //   eb13                 | jmp                 0x15
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   8b507c               | mov                 edx, dword ptr [eax + 0x7c]
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   8b4048               | mov                 eax, dword ptr [eax + 0x48]
            //   e8????????           |                     

        $sequence_1 = { f7da 8d45cc e8???????? 8b45f8 e8???????? 50 e8???????? }
            // n = 7, score = 200
            //   f7da                 | neg                 edx
            //   8d45cc               | lea                 eax, [ebp - 0x34]
            //   e8????????           |                     
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   e8????????           |                     
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_2 = { eb03 c60300 5f 5e 5b 8be5 5d }
            // n = 7, score = 200
            //   eb03                 | jmp                 5
            //   c60300               | mov                 byte ptr [ebx], 0
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp

        $sequence_3 = { e8???????? e9???????? 8b4508 e8???????? 50 56 8b45fc }
            // n = 7, score = 200
            //   e8????????           |                     
            //   e9????????           |                     
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   e8????????           |                     
            //   50                   | push                eax
            //   56                   | push                esi
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]

        $sequence_4 = { e8???????? ffb558ffffff 8d8560ffffff ba03000000 e8???????? 8b8560ffffff e8???????? }
            // n = 7, score = 200
            //   e8????????           |                     
            //   ffb558ffffff         | push                dword ptr [ebp - 0xa8]
            //   8d8560ffffff         | lea                 eax, [ebp - 0xa0]
            //   ba03000000           | mov                 edx, 3
            //   e8????????           |                     
            //   8b8560ffffff         | mov                 eax, dword ptr [ebp - 0xa0]
            //   e8????????           |                     

        $sequence_5 = { a1???????? e8???????? 43 4e 0f8534fdffff 33c0 5a }
            // n = 7, score = 200
            //   a1????????           |                     
            //   e8????????           |                     
            //   43                   | inc                 ebx
            //   4e                   | dec                 esi
            //   0f8534fdffff         | jne                 0xfffffd3a
            //   33c0                 | xor                 eax, eax
            //   5a                   | pop                 edx

        $sequence_6 = { eb74 6a00 6a00 6a00 8b45ec 50 6a01 }
            // n = 7, score = 200
            //   eb74                 | jmp                 0x76
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   50                   | push                eax
            //   6a01                 | push                1

        $sequence_7 = { f6c310 740b 8bc6 e8???????? 84c0 7504 33c0 }
            // n = 7, score = 200
            //   f6c310               | test                bl, 0x10
            //   740b                 | je                  0xd
            //   8bc6                 | mov                 eax, esi
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   7504                 | jne                 6
            //   33c0                 | xor                 eax, eax

        $sequence_8 = { e8???????? ffb55cffffff 68???????? 8d8558ffffff e8???????? ffb558ffffff 8d8560ffffff }
            // n = 7, score = 200
            //   e8????????           |                     
            //   ffb55cffffff         | push                dword ptr [ebp - 0xa4]
            //   68????????           |                     
            //   8d8558ffffff         | lea                 eax, [ebp - 0xa8]
            //   e8????????           |                     
            //   ffb558ffffff         | push                dword ptr [ebp - 0xa8]
            //   8d8560ffffff         | lea                 eax, [ebp - 0xa0]

        $sequence_9 = { e8???????? 8b45fc e8???????? ff750c ff7508 8d55d0 8b45fc }
            // n = 7, score = 200
            //   e8????????           |                     
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   e8????????           |                     
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   ff7508               | push                dword ptr [ebp + 8]
            //   8d55d0               | lea                 edx, [ebp - 0x30]
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]

    condition:
        7 of them and filesize < 35323904
}
Download all Yara Rules