0 minutos de leitura
Fake Ukrainian Bank Invoice Contains Malicious RMS Tool
Pavlo Prodanchuk
Throughout 2024, we’ve been seeing hackers increasingly rely on legitimate services to carry out attacks.
The
All the emails observed in this campaign shared the same subject line, “Платіжне доручення” (Payment Order) and appeared to come from different senders—likely compromised email accounts.
Fig. 1 - View of received email
This attack targets government domains as well as well-known companies. Interestingly, while the email content is in Ukrainian, it’s likely the recipients do not speak the language—raising suspicions about the attack's intent. The body of the email is brief and identical across samples. The only variation being the sender's name in the signature part, which matches the name in the "From" field. These names are unusually rare, even for native Ukrainian speakers.
Attached to the email is a PDF that mimics an official letterhead from biggest Ukrainian state bank "Privat Bank," requesting confirmation of a payment.
Fig. 2 - PDF attachment
The document contains a link that leads to a Bitbucket site: hxxps://bitbucket[.]org/invoicepays/file/downloads/doc.7. This link initiates the download of a zipped file. When unpacked, it contains another folder and inside with another zip file.
Fig. 3 - Contents of downloaded ZIP file
Within this second Zip, there are two files: one is a folder, the other is another PDF.
Fig. 4 - Contents of second ZIP archive
Inside the folder we have two more files. This time, it’s a text file with a password that unlocks a password-protected RAR archive.
Fig. 5 - Contents of second ZIP folder
When unlocked using the provided password, the password-protected RAR archive opens into a folder containing two PDF files and an SCR file.
Fig. 6 - Contents of password-protected RAR archive
While it runs quietly in the background, it’s very possible that a user only observes the PDF documents nested between directories and archives while the SCR file does its job.
Analysis of the SCR file:
It is an SFX self-extracting RAR installer file that contains another .msi installer in its resource section. The SFX extracts it as part of the execution.
Fig. 7 - SFX RARA installer with embedded .msi and PDF files
It also extracts legitimate PDFs and displays them in order to hide background installation activity from the user.
Fig. 8 - Displayed PDF image to hide RMS execution
Analysis of dropped MSI file
The MSI file install installs RMS tools and its supporting components including rutserv.exe and rfusclient.exe.
Fig. 9 - Malicious actions performed via MSI using rutserv.exe and rfusclient.exe
Fig. 10 - RMS tool installation interface
Fig. 11 - RMS tool license agreement
Rutserv.exe and Rfusclient.exe both look to be a modified version compiled with the Embarcadero Delphi compiler. Attackers can leverage these tools that auto-connects and exfiltrate system information to a Russian remote Command and Control server.
Fig. 12 - C2 network traffic
Rfusclient.exe activity:
- Looks up country code configured in the registry, likely geofence. Queries to “\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation”
- Enumerates physical storage devices.
Rutserv.exe activity:
- Manages system restore points by creating registry via legit process SrTasks.exe.
- Uses Volume shadow copy service vssvc.exe which is is used to manage backups/snapshots.
- C2 connection on unusual ports.
Conclusion:
Observed malware sample that spreads an RMS tool. It seems to be targeting different government entities and large businesses via a suspicious fake PDF invoice that urges users to click on a malicious link. It downloads numerous archives and files while extracting and installing the RMS tool in the background with main goal of recording user activity and to ultimately control a victim’s system.
Protection Statement:
Forcepoint customers are protected against this threat at the following stages of attack:
- Stage 2 (Lure) – Malicious PDF attachments associated with this attack is identified and blocked.
- Stage 3 (Redirection) – Bitbucket URL is categorized under security classification.
- Stage 5 (Dropper File) - The dropper files are added to Forcepoint malicious database and are blocked.
- Stage 6 (Call Home) - Blocked C2 credentials
IOCs
Payload HASH:
- b6892fcec850a1dc9d20418c4e2d70f2dac2792f - pdf
- e186dc51797d75c11ef6826448c1a9b6ed9c333b - 7z
- dcef5895fcbdaa228d1b8d4df29cedb033c4633c - rar
- b64a9c36caa481dd75161d3c9b07ef67cc35072b - scr
- b5481a9f440aa1fb9e6442d8cc2331858f652a00 - msi
- e8136675e22d5702da6c9095384ad0b0035689f7 - exe
- 8e782dd229d0a7b19ca99219a974d740d85a9a96 - exe
Download URL:
hxxps://bitbucket[.]org/invoicepays/file/downloads/doc.7
C2s:
- 95[.]213[.]205[.]83
- 111[.]90[.]140[.]34
- 65[.]21[.]245[.]7
Pavlo Prodanchuk
Leia mais artigos de Pavlo ProdanchukPavlo Prodanchuk serves as a Security Researcher with the Forcepoint X-Labs Threat Research team. He focuses on detecting and analyzing web, email, and file-based cyberattacks. Pavlo is passionate about identifying emerging threats and developing proactive defenses to enhance security across digital environments.
No Artigo
X-Labs
Get insight, analysis & news straight to your inbox
Ao Ponto
Cibersegurança
Um podcast que cobre as últimas tendências e tópicos no mundo da cibersegurança
Ouça Agora