Full Report
The attacks use remote administration utilities whose graphical user interface is hidden by the malware, enabling the attackers to control the infected system without the user’s knowledge.
Analysis Summary
# Tool/Technique: Remote Administrative Tool (RAT) Stealth Wrapper
## Overview
This technique involves the unauthorized deployment of legitimate Remote Administration Tools (RATs), specifically **Remote Manipulator System (RMS)** and **TeamViewer**, configured to operate in a completely "hidden" mode. Attackers use malicious loaders to suppress the graphical user interface (GUI) and notification icons of these tools, effectively turning legitimate enterprise software into stealthy malware for persistent remote access and data exfiltration.
## Technical Details
- **Type:** Malware (Wrapper/Loader) and Potentially Unwanted Tool (RAT)
- **Platform:** Windows (primarily targeting industrial enterprises)
- **Capabilities:** Hidden remote desktop control, file transfer, microphone/camera access, and system management.
- **First Seen:** Early 2018 (with significant activity spikes in 2019-2020)
## MITRE ATT&CK Mapping
- **TA0003 - Persistence**
- T1547.001 - Registry Run Keys / Startup Folder
- **TA0005 - Defense Evasion**
- T1562.001 - Impair Defenses: Disable or Modify Tools
- T1564.003 - Hide Artifacts: Hidden Window
- T1027 - Obfuscated Files or Information
- **TA0007 - Discovery**
- T1018 - Remote System Discovery
- **TA0009 - Collection**
- T1113 - Screen Capture
- T1123 - Audio Capture
- **TA0011 - Command and Control**
- T1219 - Remote Access Software
## Functionality
### Core Capabilities
- **Desktop Control:** Real-time viewing and interaction with the victim's desktop.
- **File Management:** Uploading and downloading files to/from the compromised host.
- **Stealth Execution:** Modification of the RAT's configuration to disable tray icons, pop-ups, and "Incoming Connection" notifications.
### Advanced Features
- **Loader Decryption:** The primary attack vector uses a multi-stage loader that decrypts the RAT's legitimate components in memory or temporary directories.
- **Privilege Escalation:** Use of exploit modules or credential harvesting to gain administrative rights for software installation.
- **Task Killers:** Scripts designed to terminate local antivirus or security monitoring software before deploying the RAT.
## Indicators of Compromise
*Note: Indicators vary by campaign; those provided represent common attributes of these attacks.*
- **File Names:**
- `ll.exe` / `l.exe` (Typically the malicious loader)
- `Rutserv.exe` (Renamed legitimate RMS component)
- `TView.exe` (Renamed TeamViewer component)
- **Registry Keys:**
- `HKEY_LOCAL_MACHINE\SYSTEM\Remote Manipulator System`
- `HKEY_CURRENT_USER\Software\TektonIT\Remote Manipulator System`
- **Network Indicators:**
- `111.90.158[.]156`
- `83.166.241[.]175`
- `185.25.51[.]107`
- **Behavioral Indicators:**
- Creation of a system service or "Run" key pointing to an executable in `C:\Users\Public\` or `%TEMP%\`.
- Legitimate TeamViewer/RMS binaries running with the `--hidden` or `--password` command-line arguments.
## Associated Threat Actors
- While specific attribution is often linked to financially motivated groups, the techniques have been observed in broad campaigns targeting **Industrial Control Systems (ICS)** and engineering firms globally.
## Detection Methods
- **Signature-based detection:** Detection of known modified versions of `rutserv.exe` or the loaders used to deploy them.
- **Behavioral detection:**
- Monitoring for legitimate remote access tools launched from unusual directories (e.g., `C:\Windows\Temp`).
- Detection of command lines that suppress UI elements (`/hidden`, `/verysilent`).
- **YARA Rule Strategy:** Focus on the "Remote Manipulator System" configuration string inside the registry or memory, and the decryption patterns of the loaders.
## Mitigation Strategies
- **Software Restriction Policies:** Implement a "Default Deny" policy for applications; block known remote access tools not explicitly authorized for business use.
- **Endpoint Hardening:** Monitor and restrict changes to the Windows Registry, particularly keys associated with Startup and Services.
- **Network Segmentation:** Ensure that administrative interfaces for remote access are only reachable via VPN with Multi-Factor Authentication (MFA).
## Related Tools/Techniques
- **Ammyy Admin:** Another legitimate RAT frequently abused in similar "hidden" campaigns.
- **AnyDesk:** Increasingly seen as an alternative to TeamViewer in unauthorized deployments.
- **Living off the Land (LotL):** The broader technique of using trusted software for malicious purposes.