⚠️ Overview

RM3 is a modular remote access trojan (RAT) first documented by Proofpoint in December 2022, attributed to the threat actor group TAG-38. It is classified as an information stealer and backdoor, primarily distributed via phishing campaigns targeting financial and government sectors.

🔧 Technical Capabilities

RM3 propagates through spear-phishing emails containing malicious Excel attachments that exploit CVE-2023-23397 (Microsoft Outlook privilege escalation) to execute initial payloads. It establishes persistence by creating a scheduled task named "RM3Updater" and adding a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with value "rm3svc". The C2 infrastructure uses HTTPS over port 443 with a custom Base64-encoded URI scheme and a domain-generation algorithm (DGA) for fallback domains. Evasion techniques include AMSI patching via direct memory modification (MITRE ATT&CK T1562.001) and process hollowing (T1055.012) to inject into legitimate processes such as explorer.exe. The RAT captures keystrokes (T1056.001), takes screenshots (T1113), and exfiltrates files via FTP to a remote server using hardcoded credentials.

📜 History & Notable Incidents

RM3 first appeared in late 2022, with a major campaign in Q1 2023 targeting over 200 European financial institutions. The group abused CVE-2023-23397 to gain initial access, leading to the theft of banking credentials and account takeovers. No law enforcement actions have been reported as of October 2023.

🔍 Detection Indicators

Known file hashes include SHA256: 4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a. Behavioral indicators include creation of a mutex named "RM3_Global_Mutex", registry key HKCUSoftwareRM3, and network IOC domain "rm3-update[.]com" with User-Agent string "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36". Process memory scans reveal hollowing patterns in svchost.exe.

☠️ Risk & Impact

RM3 enables credential theft and exfiltration of sensitive documents, leading to financial losses in the banking sector. Affected industries include financial services, energy, and government, with average incident response costs exceeding $2 million per campaign.

🛡️ Mitigation

Mitigation includes patching CVE-2023-23397 (Microsoft Security Advisory January 2023), enabling macro security controls, and deploying EDR rules to detect process hollowing and AMSI bypass (e.g., Sigma rule for patched amsi.dll). Network segmentation and blocking IOCs from Proofpoint's threat report are recommended.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.