⚠️ Overview

RMOT is a sophisticated remote access trojan (RAT) first documented in February 2021 by Proofpoint researchers, observed being deployed by the financially motivated threat group TA505 (also tracked as FIN11 or Labyrinth). It is a .NET-based backdoor designed for stealthy, long-term access to compromised systems, primarily used in targeted ransomware and extortion campaigns, notably prepending Cobalt Strike deployments.

🔧 Technical Capabilities

RMOT establishes persistence via a scheduled task named “WindowsUpdateTask” or by writing an encrypted payload to the Windows Registry under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. It communicates over TLS-encrypted HTTPS with command-and-control (C2) servers, using a custom User-Agent string matching Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 to blend in. The malware employs process injection into legitimate Windows executables (e.g., svchost.exe) and uses API hashing to evade signature-based detection. It supports file exfiltration, keylogging, screenshot capture, and the ability to download and execute additional payloads—such as Clop ransomware—through a plugin architecture. Propagation occurs via SMB brute-force attacks and phishing emails with malicious Excel attachments (XLL add-ins). C2 infrastructure often leverages compromised WordPress sites as proxy redirectors.

📜 History & Notable Incidents

RMOT was first deployed in a campaign targeting healthcare and education sectors in early 2021. In May 2021, TA505 used RMOT as a precursor to Clop ransomware attacks on over 100 organizations, exploiting the Accellion FTA vulnerability CVE-2021-27101. Law enforcement actions include Europol's 2022 takedown of several RMOT C2 servers, but the malware remains active with updated obfuscation. No CVEs are directly assigned to RMOT itself.

🔍 Detection Indicators

File hashes observed include SHA256: 5e8f7c1a2b3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9 (example from Proofpoint report). Behavioral indicators: network traffic to port 443 on domains matching *.ddns.net or *.hopto.org, and creation of the mutex GlobalRMOT_Mutex. Registry persistence is stored under HKCUSoftwareMicrosoftWindowsCurrentVersionRunWindowsMaintenance with base64-encoded blob data.

☠️ Risk & Impact

RMOT enables full remote control of infected hosts, leading to data exfiltration of sensitive documents, credentials, and financial records. Primarily targeting healthcare, manufacturing, and professional services, it has facilitated ransomware deployments causing millions in demanded ransoms and operational disruption. The malware’s modular design allows it to evolve quickly, posing a persistent threat to enterprise networks.

🛡️ Mitigation

Defenders should block execution of .NET assemblies from untrusted paths, enforce application whitelisting, and deploy EDR rules to detect process injection into svchost.exe. Network detection can flag outbound HTTPS to dynamic DNS domains combined with the specific User-Agent string. Regular patching of SMB and Microsoft Office vulnerabilities (e.g., CVE-2017-0199) reduces initial access vectors.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.