Home Malware Programs Remote Administration Tools RMS RAT


Posted: June 18, 2019

The RMS RAT is a Remote Access Trojan that's a modification of the Remote Manipulator System administrative tool. The RMS RAT grants a threat actor control over elements such as the mouse, keyboard, and file system, and its presence constitutes a backdoor for allowing other Trojans' installation or the collection of information. Users can keep anti-malware products on hand for removing the RMS RAT and should monitor their e-mail messages for any exploits.

Code that's a Little Too Open to Outside Abuse

E-mail is a regular factor in both mostly-random and highly-targeted attacks involving the deployment of Trojans onto the targets' computers. The RMS RAT, a hijacking of a Russian open-source project by the name of Remote Manipulator System, provides examples of the different techniques in use by these con artists. Different variants of the RMS RAT may support wildly different payloads, but at the baseline, it represents a security risk that's little different from handing your keyboard over to a hacker.

Because the RMS RAT's code is free, its use is cropping up in multiple, unrelated campaigns, including TA505's so-called Pied Piper attacks against the food supplier industry, as well as broader tactics phishing for users of the US IRS services. Although both techniques use e-mail, their delivery methods are different slightly: one provides a link to a corrupted document, and the other uses a direct attachment. The Trojan dropping mechanism is slightly divergent similarly, with one case preferring a specially-crafted exploit, and the second preferring the ever-popular abuse of macro features.

The RMS RAT's default functions, as provided by the Russian TektonIT company, in its legitimate version, include standard remote administrative capabilities. Some of its choice features encompass remote keyboard and mouse support, Microsoft RDP compatibility, webcam and microphone connections, and password protection for its settings.

Additions to the payload by individual criminals may include delivering cryptocurrency miners or file-locker Trojans, for example, surveying data for collecting, or disabling security features. According to the threat groups associated with previous attacks, malware experts rate harmful encryption (for locking the user's files) or the theft of banking information as being likely outcomes.

Freeing Your Hardware from External Manipulation

The RMS RAT, much like Hidden Tear, has its origins as being a program made for non-threatening purposes, but its features lend itself to hijacking by criminals, over the years. While new campaigns will not repeat previous tactics necessarily, most threat actors depend on victims clicking a corrupted link or opening an attached file and enabling additional content, such as a macro. Users also can eliminate some infection risks by disabling browser features like JavaScript and installing security patches for corrected vulnerabilities like Microsoft Office's CVE-2017-0199.

Turning off network connections will keep the RMS RAT from passing collected information to its admin or acting according to any incoming commands from its C&C server. Although the RMS RAT's original program has a visible user interface, criminals, ordinarily, disable the UI for harmful deployments, and there may be no symptoms of infection. Anti-malware software can delete the RMS RAT and similar Remote Access Trojans automatically if given the opportunity.

Attacks by the RMS RAT tend towards using both broad, general-public tactics like fake IRS notifications, as well as ones that target particular industries narrowly. Users not learning the telltale signs of these lures will find their computers on the hook for extremely invasive attacks, all thanks to Russian source code that anyone can pick up and misuse.