TA505 Abusing Legit Remote Admin Tool in String of Attacks When opened, the document would encourage the recipient to disable Microsoft Office's security features and try to eventually get them to download a copy of Remote Manipulator System (RMS), a legitimate remote administration tool from Russian software vendor TektonIT. By default, the tool, like most remote admin tools, is set up to alert users when it is being installed on a system, Hill says. Eli Salem, a security analyst at Cybereason, which is also scheduled to publish a report on TA505's activities this week, says the remote admin tool gives attackers the ability to do enormous damage. But TektonIT's RMS product also includes a feature that allows attackers to achieve the same control without having to set up a separate C2 server — which has made the software particularly popular among nonsophisticated attackers, Hill says. In fact, Cyberint has observed several other unsophisticated threat groups using RMS in attacks similar to the ones that TA505 has been executing because of how easy it is to abuse the remote admin tool.