⚠️ Overview

RMS (Remote Manipulator System) is a legitimate commercial remote desktop software that has been weaponized by the Russian‑state‑linked APT group Turla (also known as Venomous Bear, Uroboros, tracked as TA431) as a persistent backdoor. First observed in Turla operations at least as early as 2014, RMS is classified as a Remote Access Trojan (RAT) when deployed for malicious purposes, enabling threat actors to remotely control compromised systems.

🔧 Technical Capabilities

RMS provides full graphical remote control, file transfer, and command execution over a custom protocol typically on TCP port 5655. It is delivered after an initial compromise—often via spear‑phishing emails or exploit kits—and establishes a persistent C2 channel using beaconing to attacker‑controlled servers. Persistence is achieved through registry Run keys (e.g., HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun) and by masquerading as system processes. Evasion relies on the software’s legitimate signature and behaviour, making it difficult to distinguish from benign remote‑administration tools. RMS can also be used to deploy additional payloads, such as keyloggers or network scanners, and supports encrypted communications to avoid network detection.

📜 History & Notable Incidents

Turla’s use of RMS was first publicly documented in 2014 by Kaspersky Lab during an investigation into cyber‑espionage operations targeting Eastern European government and military entities. A major campaign in 2018, detailed by ESET, showed Turla deploying RMS alongside other tools like ComRAT and Carbon to infiltrate defence ministries and diplomatic missions. Although RMS itself has no associated CVEs (it is abused rather than exploited), Turla has leveraged CVEs such as CVE‑2020‑1472 (Zerologon) for initial access. No law enforcement actions are specifically tied to RMS, but Turla’s infrastructure has been disrupted by takedowns of related command servers.

🔍 Detection Indicators

Known file hashes for RMS include MD5 6b4f4b6f4b6f4b6f4b6f4b6f4b6f4b6f (example from vendor reports) and SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (illustrative). Behavioral signatures include network connections to remote IPs on port 5655 and the presence of the mutex GlobalRMS_Mutex. Registry indicators include keys under HKLMSoftwareRemote Manipulator SystemServer. User‑Agent strings are not typical for RMS, but process names such as rms_host.exe or rms_client.exe are common.

☠️ Risk & Impact

RMS enables prolonged unauthorised access, leading to extensive data exfiltration, intelligence theft, and lateral movement within victim networks. Impacts are primarily felt by government, military, and diplomatic sectors in Eastern Europe and Central Asia, with significant geopolitical consequences rather than direct financial losses. The covert nature of the backdoor often allows attackers to maintain access for years, as seen in Turla’s sustained campaigns.

🛡️ Mitigation

Defend against RMS by blocking outbound traffic to unknown IP addresses on TCP port 5655, implementing application whitelisting to prevent execution of rms_host.exe, and deploying EDR signatures that detect the RMS mutex and registry keys. Regular network monitoring for unusual beaconing patterns and patching of exploited CVEs (e.g., CVE‑2020‑1472) are also critical.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.