Fake Ukrainian Bank Invoice Contains Malicious RMS Tool

Throughout 2024, we’ve been seeing hackers increasingly rely on legitimate services to carry out attacks. 

The X-Labs team recently observed an interesting small attack pretending to be a legitimate Ukrainian bank payment confirmation. In this case, they used a Remote Manipulator System (RMS) tool to gain control of infected systems. Here's an analysis of this recent attack.

All the emails observed in this campaign shared the same subject line, “Платіжне доручення” (Payment Order) and appeared to come from different senders—likely compromised email accounts.

Fig. 1 - View of received email

This attack targets government domains as well as well-known companies. Interestingly, while the email content is in Ukrainian, it’s likely the recipients do not speak the language—raising suspicions about the attack's intent. The body of the email is brief and identical across samples. The only variation being the sender's name in the signature part, which matches the name in the "From" field. These names are unusually rare, even for native Ukrainian speakers.

Attached to the email is a PDF that mimics an official letterhead from biggest Ukrainian state bank "Privat Bank," requesting confirmation of a payment. 

Fig. 2 - PDF attachment

The document contains a link that leads to a Bitbucket site: hxxps://bitbucket[.]org/invoicepays/file/downloads/doc.7. This link initiates the download of a zipped file. When unpacked, it contains another folder and inside with another zip file.

 Fig. 3 - Contents of downloaded ZIP file

Within this second Zip, there are two files: one is a folder, the other is another PDF. 

Fig. 4 - Contents of second ZIP archive

Inside the folder we have two more files. This time, it’s a text file with a password that unlocks a password-protected RAR archive. 

Fig. 5 - Contents of second ZIP folder

When unlocked using the provided password, the password-protected RAR archive opens into a folder containing two PDF files and an SCR file.

Fig. 6 - Contents of password-protected RAR archive

While it runs quietly in the background, it’s very possible that a user only observes the PDF documents nested between directories and archives while the SCR file does its job.

Analysis of the SCR file:

It is an SFX self-extracting RAR installer file that contains another .msi installer in its resource section. The SFX extracts it as part of the execution.

Fig. 7 - SFX RARA installer with embedded .msi and PDF files 

It also extracts legitimate PDFs and displays them in order to hide background installation activity from the user.

Fig. 8 - Displayed PDF image to hide RMS execution
 

Analysis of dropped MSI file 

The MSI file install installs RMS tools and its supporting components including rutserv.exe and rfusclient.exe.

Fig. 9  - Malicious actions performed via MSI using rutserv.exe and rfusclient.exe

Fig. 10  - RMS tool installation interface

Fig. 11 - RMS tool license agreement

Rutserv.exe and Rfusclient.exe both look to be a modified version compiled with the Embarcadero Delphi compiler. Attackers can leverage these tools that auto-connects and exfiltrate system information to a Russian remote Command and Control server.

Fig. 12 - C2 network traffic

Rfusclient.exe activity:

• Looks up country code configured in the registry, likely geofence. Queries to “\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation”
• Enumerates physical storage devices.

Rutserv.exe activity:

• Manages system restore points by creating registry via legit process SrTasks.exe.
• Uses Volume shadow copy service vssvc.exe which is is used to manage backups/snapshots.
• C2 connection on unusual ports.

Conclusion:

Observed malware sample that spreads an RMS tool. It seems to be targeting different government entities and large businesses via a suspicious fake PDF invoice that urges users to click on a malicious link. It downloads numerous archives and files while extracting and installing the RMS tool in the background with main goal of recording user activity and to ultimately control a victim’s system. 

Protection Statement: 

Forcepoint customers are protected against this threat at the following stages of attack:

• Stage 2 (Lure) – Malicious PDF attachments associated with this attack is identified and blocked.
• Stage 3 (Redirection) – Bitbucket URL is categorized under security classification.
• Stage 5 (Dropper File) - The dropper files are added to Forcepoint malicious database and are blocked.
• Stage 6 (Call Home) - Blocked C2 credentials

IOCs

Payload HASH:

• b6892fcec850a1dc9d20418c4e2d70f2dac2792f - pdf
• e186dc51797d75c11ef6826448c1a9b6ed9c333b - 7z
• dcef5895fcbdaa228d1b8d4df29cedb033c4633c - rar
• b64a9c36caa481dd75161d3c9b07ef67cc35072b - scr
• b5481a9f440aa1fb9e6442d8cc2331858f652a00 - msi
• e8136675e22d5702da6c9095384ad0b0035689f7 - exe
• 8e782dd229d0a7b19ca99219a974d740d85a9a96 - exe

Download URL:

hxxps://bitbucket[.]org/invoicepays/file/downloads/doc.7

C2s:

• 95[.]213[.]205[.]83
• 111[.]90[.]140[.]34
• 65[.]21[.]245[.]7