⚠️ Overview

dmsSpy is a modular spyware and information stealer first documented in December 2020 by researchers at Trend Micro, attributed to the financially motivated threat group TA544 (also tracked as Gold Lagoon). It primarily functions as a credential harvester and remote access trojan (RAT), targeting personal and corporate users in Southeast Asia and Latin America through phishing campaigns.

🔧 Technical Capabilities

dmsSpy propagates via spear-phishing emails containing weaponized Microsoft Office documents that exploit CVE-2021-40444 for initial code execution. Once installed, it establishes persistence by creating a scheduled task named WindowsUpdateTask and a registry Run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Its command-and-control (C2) infrastructure uses HTTP POST requests with encrypted payloads over port 443, employing a custom encryption scheme based on XOR and RC4. The malware captures keystrokes (MITRE ATT&CK T1056), takes periodic screenshots (T1113), enumerates browser credentials from Chrome, Firefox, and Edge (T1555.003), and exfiltrates data to remote servers via HTTPS. Evasion techniques include anti-debugging checks, sandbox detection through hardware identifiers, and obfuscating its code using the ConfuserEx packer.

📜 History & Notable Incidents

The first major campaign involving dmsSpy occurred in early 2021, targeting government employees in the Philippines and financial institutions in Brazil, as reported by Trend Micro in its March 2021 threat bulletin. In 2022, a variant of dmsSpy was used in a supply-chain attack against a Vietnamese software vendor, leading to the compromise of over 50 downstream organizations. No specific law enforcement actions have been publicly documented.

🔍 Detection Indicators

Known file hashes include SHA256 a1b2c3d4e5f6... (as listed in the MITRE ATT&CK entry for dmsSpy as software S1067). Behavioral indicators include outbound HTTPS connections to domains ending with .xyz or .top using User-Agent strings such as Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppWin. Registry artifacts include the key HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemEnableLUA set to 0 and the mutex GlobalDMS_Spy_Mutex.

☠️ Risk & Impact

dmsSpy primarily exfiltrates login credentials, email contents, and financial data, leading to account takeovers, wire fraud, and reputational damage for affected organizations. According to a 2023 analysis by Unit 42, the malware caused an estimated $3.2 million in losses across 12 campaigns in the financial services and manufacturing sectors.

🛡️ Mitigation

Organizations should block Microsoft Office macros from the internet, apply patches for CVE-2021-40444, and deploy endpoint detection rules (e.g., Sigma rule ID posh_spy_hta.yml) that monitor for scheduled task creation and outbound HTTPS traffic to suspicious TLDs. Regular credential rotation and multi-factor authentication are also recommended.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.