In a new cybersecurity threat, the notorious TA505 hacker group has been seen employing a cunning Phishing Campaign. The campaign uses a Remote Management System (RMS) executable to target users in specific regions. 

The TA505 hacker group uses this technique in a hacking campaign to mimic banned applications, such as ExpressVPN, WeChat, and Skype, in an attempt to compromise unsuspecting victims.

The campaign targets Russian netizens and uses restricted or banned applications in the country as bait to target victims.

TA505 hacker group deploys sneaky phishing campaign

Cyble Research and Intelligence Labs (CRIL) has observed this new phishing campaign, which is reportedly targeted towards Russian users. For this RMS executable to work, the threat needs phishing websites that mimic popular applications. 

Since a lot of American-based brands, and services have left Russia, the hackers abuse this scarcity of online applications in the country to target its citizens. 

The RMS executable, recognized as a reliable remote administration tool, was found to be the linchpin in these attacks.

Intriguingly, the malware binary was distributed across multiple deceptive websites, heightening suspicions that the threat actor may have ties to the Russian-speaking community.

The threat actor involved in this hacking campaign is the formidable TA505 hacker group. With a notorious history dating back to 2014, the hacker group is known for deploying ransomware attacks through the Clop variant. 

Their association with RMS in cyber operations further highlights the group’s sophisticated tactics, enabling them to gain early access and perpetrate cybercrimes on a global scale.

The rise of phishing campaigns leveraging banned applications 

The trend of using banned or restricted applications to exploit user vulnerabilities is at an all-time high. The recent VASTFLUX fraud case is a prime example of how these phishing campaigns can target victims, and what kind of damage they can inflict.

The VASTFLUX fraud ring targeted 11 million devices across 1,700 spoofed apps, affecting 120 publishers. Similarly, the hacking campaign by the TA505 hacker group plans to target a large number of victims in one of the largest countries in the world. 

The threat actor exploits this vulnerability, and human emotions become a driving force for these campaigns to work. This was glaringly evident in an operation targeting Russian consumers, wherein phishing websites were meticulously designed to resemble popular apps like ExpressVPN, WeChat, and Skype.

Notably, these applications are inaccessible in Russia due to legal restrictions.

The technicalities of the TA505 hacker group

The TA505 hacker group’s phishing campaign employs deceptive tactics, distributing malicious payloads through phishing sites via RMS binaries or disguised within Self-extracting archives (SFX). 

Exploiting user trust in installations, cybercriminals leverage SFX files to conceal harmful content. Clicking the “Download VPN” button on the ExpressVPN phishing site initiates the download of an SFX folder, masking a malicious payload. When executed, it convincingly impersonates an official ExpressVPN installer, discreetly delivering the payload.

Post-execution, the SFX file inserts data into the Registry key “HKCUSoftwareWinRAR SFX” and establishes a designated folder in the %tmp% directory, containing both the RMS executable and a genuine ExpressVPN installer.

The RMS tool, a potent remote administration tool compatible with various operating systems, grants users functionalities like file transfers and desktop sharing. Its availability for both non-commercial and commercial usage broadens its appeal to legitimate and malicious users.

This resurgence of the RMS tool in TA505’s hacking campaign is nothing less than another attempt to target unsuspecting victims. By exploiting restricted applications, cybercriminals adapt and refine their methods, emphasizing their cunning tactics. 

Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.