Cybersecurity researchers have revealed details of a new dual-vector attack campaign that leverages stolen credentials to deploy legitimate Remote Monitoring and Management (RMM) software. The goal is to establish persistent remote access to the compromised hosts.
According to researchers at KnowBe4 Threat Labs, instead of deploying custom viruses, attackers are bypassing security perimeters by “weaponizing” necessary IT tools that administrators rely on. By stealing a system “master key,” they turn legitimate RMM software into a persistent backdoor.
Two Phase Attack Flow
The attack takes place in two different phases:
Phase 1: Credential Theft Through Phishing The first phase of the attack consists of the theft of credentials through phishing emails. The messages are disguised as invitations from a legitimate platform called Greenvelope. The goal is to trick recipients into clicking on a malicious URL designed to harvest their Microsoft Outlook, Yahoo! login credentials. or AOL.com.
Phase 2: RMM Deployment and Persistence Once the credentials are obtained, the attack moves to the next phase. The threat actor uses the compromised email account to register with LogMeIn, generating RMM access tokens. These tokens are deployed in a subsequent attack via an executable called “GreenVelopeCard.exe.”
This binary, signed with a valid certificate, contains a JSON configuration that acts as a conduit to silently install LogMeIn Resolve (formerly GoTo Resolve) and connect to an attacker-controlled URL without the victim’s knowledge.
Persistence Mechanisms
With the RMM tool now installed, attackers leverage remote access to modify the configuration of their service, allowing it to run with unrestricted access on Windows. To ensure persistence, the attack also sets hidden scheduled tasks that automatically relaunch the RMM program even if the user terminates it manually.
Mitigation Recommendations
To counter this threat, organizations are advised to monitor unauthorized RMM installations and unusual usage patterns. This includes reviewing logs of software installation and use of remote access services.
Confidence
What would we do in these cases?
Defensive Cybersecurity | Protection and Response to Threats - Comfidentia
Defensive cybersecurity services: digital forensics, secure software development, vulnerability management, threat intelligence and incident response. Protect your networks and servers with our defensive security solutions.
Forensic Analysis
Discover the truth hidden in the data with our Forensic Analysis service. We collect, examine and thoroughly analyze every digital trace to reveal the root cause of any incident. Our team of experts follows the key steps: Identification, Acquisition, Analysis and Presentation of solid evidence. Don’t waste any more time searching for answers, trust our experience to reveal the evidence you need.
Vulnerability Management
Don’t risk the security of your company! With our Vulnerability Management solutions, you won’t just get a simple scan or risk assessment, but a complete assessment together with your team. Our approach goes further by proposing real and lasting solutions, adapted to the specific capabilities and needs of your business and systems.
Protect your Brand from Cyber Threats
Protect your business today with Brand Intelligence! Our specialized service provides you with valuable information about possible malicious actors trying to impersonate your brand or domain. By detecting these threats, you can take quick and effective measures to safeguard your company’s reputation. Don’t let cybercriminals damage your image, trust Brand Intelligence to keep your business safe at all times.
Secure Software Development
With our specialized tools and skills, you can create vulnerability-proof applications and programs from start to finish. Our approach is based on a robust model that includes secure design, development process, vulnerability management and information security. This ensures that your software is protected at every stage of the process. Source: See more at Comfidentia
Other related pages: