Full Report
The malware used in these attacks installs legitimate remote administration software – TeamViewer or RMS – on the system. This enables the attackers to gain remote control of infected systems.
Analysis Summary
# Tool/Technique: TeamViewer and RMS Remote Administration Software
## Overview
The malware discussed in the context is designed to install legitimate remote administration software, specifically **TeamViewer** or **Remote Monitoring and Management (RMS)** software, onto compromised systems. The purpose of this activity is to facilitate **remote control and persistence** for the attackers over the infected network infrastructure, often targeting industrial enterprises.
## Technical Details
- Type: Tool (Legitimate Remote Administration Software used for malicious purposes)
- Platform: Windows (Implied, as these tools are commonly used on this platform for RDP/remote administration)
- Capabilities: Providing legitimate, encrypted remote access and control over the infected endpoint.
- First Seen: The context indicates a report published in August 2018, suggesting the observed activity involving these standard tools was active around this time.
## MITRE ATT&CK Mapping
Since the malware's function is to install and utilize these tools, the primary focus is on how remote access is established and maintained.
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (TeamViewer/RMS may use standard protocols for staging or initial beaconing)
- **TA0008 - Lateral Movement**
- T1021 - Remote Services
- T1021.001 - Remote Desktop Protocol (If used as a direct replacement or alongside the software functionality)
- **TA0003 - Persistence**
- T1547.001 - Registry Run Keys / Startup Folder (Often used by remote access tools for persistence upon system reboot)
## Functionality
### Core Capabilities
- **Remote Desktop Access:** Establishing a graphical user interface (GUI) connection to the compromised host.
- **System Control:** Executing arbitrary commands, escalating privileges (if necessary via the initial malware dropper capabilities, not fully detailed here), and managing files.
- **Data Exfiltration:** Facilitating data transfer (uploading tools, downloading data) over the established secure connection.
### Advanced Features
- **Encrypted Communication:** Both TeamViewer and RMS utilize encryption, making traffic analysis difficult for defenders.
- **Stealth/Legitimacy:** Using commercially available, signed software makes detection harder as the running processes are inherently trusted by default security monitoring tools.
## Indicators of Compromise
Given that the malware installs *legitimate* software, traditional malware IOCs (hashes, specific C2 domains for the **RMM software itself**) might be absent or highly variable depending on the initial delivery mechanism.
- File Hashes: N/A (Dependent on the specific version/install package of TeamViewer/RMS deployed)
- File Names: Potentially standard installation artifacts for TeamViewer (`TeamViewer.exe`) or RMS products.
- Registry Keys: Keys associated with the installed remote access software instructing it to connect to a specific, attacker-controlled ID/account.
- Network Indicators: Traffic directed towards known TeamViewer infrastructure or attacker-controlled endpoints using RMS protocols. The initial C2 vector for the malware dropper is unknown from this context alone.
- Behavioral Indicators: Unexpected installation of legitimate remote access solutions on production/industrial control system (ICS) assets lacking prior justification.
## Associated Threat Actors
The article explicitly mentions targeting **industrial enterprises**. While specific threat group attribution is not provided in the context snippet, the use of accessible RMM tools often points toward financially motivated groups, sophisticated cybercrime syndicates, or state-sponsored actors seeking long-term access to valuable infrastructure.
## Detection Methods
- **Signature-based detection:** Signatures would rely on the initial malware delivery mechanism, not the RMM software itself. Signatures for known RMM installers/configuration files *if* they deviate from standard commercial deployments might be useful.
- **Behavioral detection:** Monitoring for unauthorized installation of remote access software, especially on sensitive assets like ICS workstations.
- **YARA rules:** Potentially applicable to initial stage droppers or configuration files used to set up the RMM tool.
## Mitigation Strategies
- **Prevention measures:** Strict application whitelisting to prevent unauthorized execution of non-standard binaries, including RMM installers.
- **Hardening recommendations:** Network segmentation to isolate ICS/OT environments from general IT networks where such compromise often originates. Disabling administrative tools on systems that do not require them for normal operation. Disabling the ability for standard users to install software.
## Related Tools/Techniques
- Any other legitimate software used maliciously for remote access (e.g., AnyDesk, VNC, legitimate RDP connections established after exploitation).
- Standard initial access malware families that drop these tools (e.g., Emotet, TrickBot variants, or custom droppers).