2024-10-01-IOCs-for-RMS-based-malware.txt

2024-10-01 (TUESDAY): UKRAINIAN LANGUAGE MALSPAM PUSHES RMS-BASED MALWARE

AUTHORS:

- Anmol Maurya, Bradley Duncan

REFERENCES:

- https://www.linkedin.com/posts/unit42_ukrainian-malspam-rms-activity-7247654167828176897-oibJ/
- https://x.com/Unit42_Intel/status/1841888547151691813

INFECTION CHAIN:

- email --> attached PDF with link --> downloaded .7z file --> .zip file --> password-protected .rar file --> RMS-based malware

NOTES:

- Initial lures were Ukrainian language emails sent on 22024-10-01 using a "payment order" theme, all with the same attached PDF.
- Found 3 examples of emails in VirusTotal, two were sent to .gov.ua recipients and one appears to be sent to a US-based university.
- The attached PDF document spoofs a Ukraine-based bank and contains a Bitbucket link to download a malicious 7-zip file.
- The Bitbucket repository hosting the malware is no longer online.
- The 7-zip file contains a zip file, and that zip file contains a password-protected RAR file and a text file with the password.
- The password-protected RAR archive contains a Windows EXE file for RMS-based malware.
- RMS is a freely-available remote desktop management product from TektonIT available at rmansys[.]ru.
- For more information on RMS-based malware, see https://malpedia.caad.fkie.fraunhofer.de/details/win.rms

INFORMATION FROM 3 EMAIL EXAMPLES:

- Sent: Tue, 1 Oct 2024 10:45:09 +0300
- To: [info removed]@[info removed].edu  <-- US-based university
- From: Щербаченко Миролюба Янівна <info@horikiri-kogyo[.]co[.]jp>
- Translated sender name: Shcherbachenko Myrolyuba Yanivna

- Date: Tue, 1 Oct 2024 10:49:46 +0300
- To: [info removed]@[info removed].gov.ua
- From: Алчевська Дорофея Добромирівна <jason@atecsigns[.]com[.]au>
- Translated sender name: Alchevska Dorofeya Dobromyrivna

- Date: Tue, 1 Oct 2024 11:04:58 +0300
- To: [info removed]@[info removed].gov.ua
- From: Федун Рудана Охримівна <g.olaniran@arithandpaul[.]com>
- Translated sender name: Fedun Rudana Okhrimovna

- Subject line for all 3 examples: Платіжне доручення
- Translated subject line: Payment order

ASSOCIATED FILES:

- SHA256 hash: 4555d7cb750d0a60496f06aa8b5e16b333626adfc9e150e033745b3c95d8dc5e
- File size: 148,297 bytes
- File name: Платіжне доручення.pdf
- Name translated to English: Payment order.pdf
- File type: PDF document, version 1.7, 1 pages
- File description: Email attachment, this PDF document has a link to download a malicious file

- SHA256 hash: ef773e11dc10641e01df827e5fece81272397e3eae6989f4dd3f48ec3dc3a751
- File size: 26,764,927 bytes
- File location: hxxps://bitbucket[.]org/invoicepays/file/downloads/doc.7z  <-- Repository no longer online
- File type: 7-zip archive data, version 0.4
- File description: 7-zip archive downloaded from link in above PDF document

- SHA256 hash: aa5ddc58a7719415335111344d1acc9acff79feb07bc7a86ad3414b8bdd90e37
- File size: 26,763,391 bytes
- File name: doc.zip
- File type: Zip archive data, at least v1.0 to extract, compression method=store
- File description: Zip archive contained in the above 7-zip archive

- SHA256 hash: 6cbd58c4773098a46682ecefe243803a719f5aa01f9e3372665575efb2836e66
- File size: 26,741,150 bytes
- Name translated to English: платіжне доручення.rar
- Translated name: payment order.rar
- File type: RAR archive data, v5
- File description: Password-protected RAR archive contained in the above zip archive
- Password: 750928

- SHA256 hash: f84e05c4ae4782ddf3f489874b66aeba2e4c4de92d1eeb2765940909e3b9d8f6
- File size: 26,982,038 bytes
- File name: Електронне платіжне доручення.pdf.scr
- Name translated to English: Electronic payment order.pdf.scr
- File type: PE32+ executable (GUI) x86-64, for MS Windows
- File description: 64-bit EXE for RMS-based malware

 C2 TRAFFIC FROM RMS-BASED MALWARE:

- 111.90.140[.]34 port 80 - TCP traffic
- 65.21.245[.]7 port 5651 - TCP traffic and TLS traffic
- 111.90.140[.]34 port 465 - attempted TCP connections
- 111.90.140[.]34 port 5651 - attempted TCP connections
- 111.90.140[.]34 port 8080 - attempted TCP connections