One of the common methods that cyber crooks use for spreading malware is disguising it as legitimate software. Sometimes just the interface is copied while the code is different completely, but sometimes cybercriminals tweak the code of legitimate applications and modify it in ways that would make it useful for their harmful campaigns. The creators of the RMS RAT (Remote Access Trojan) have taken up the latter approach.

The cybercriminals behind the RMS RAT have used a widely known Russian tool that provides remote access named 'Remote Manipulator System' as a basis for their creation. The legitimate variant of the 'Remote Manipulator System' tool requires the consent of both parties involved to establish a connection. However, the authors of the RMS RAT have modified the original tool, and they no longer need the permission or even the knowledge of the other party to get access to their systems.

The first time the RMS RAT emerged was in a campaign back in 2017. The infection vector employed was via fraudulent emails, which claim to contain an IRS form, but instead, the attachment is a corrupted document, which contains the corrupted payload of the RMS RAT. The RMS RAT is good at being sneaky, and it is likely that the infected users may never even realize that they have become a victim of this threat.

The TA505 hacking group is the actor responsible for the biggest operation that involved the RMS RAT. The TA505 are known for their ransomware threats and banking malware. However, they seem to have taken a liking into the RMS RAT and have employed it (alongside another threat FlawedAmmyy) in campaigns targeting users in Italy, Mexico and Chile. It is believed that they have been spreading the RMS RAT via infected Microsoft Excel documents.

The RMS RAT packs a good number of features. It is capable of infiltrating the privacy of the victim by taking screenshots of the desktop, collecting keystrokes, and even accessing the microphone and webcam of the user. Furthermore, the RMS RAT can upload and download files to the infiltrated system, as well as view, delete and modify files on the compromised computer. The RMS RAT also is able to hijack control of the Windows Task Manager, Command Prompt and Registry Editor. This piece of malware can command the remote computer to sleep, restart or power off.
If you want to keep your machine safe from the RMS RAT, you should look into obtaining a reputable anti-virus suite.


Most Viewed