Threat actors are targeting legitimate remote monitoring and management (RMM) software with phishing attacks. The new joint federal alert was prompted by a successful hack against two federal civilian executive branch networks tied to malicious typo-squatting activity.
If exploited by a threat actor, legitimate RMM software can be used as a backdoor for both command-and-control or persistence on a victim’s network.
The FCEB compromise was uncovered by Cybersecurity and Infrastructure Security Agency in October, during a third-party retrospective analysis of EINSTEIN, a federal civilian executive branch (FCEB)-wide intrusion detection system operated and monitored by CISA that found suspected malicious activity on two FCEB networks.
The first instance was deployed in mid-June, where threat actors sent a phishing email that included a phone number to an FCEB employee’s government email address. The employee then “called the number, which led them to visit the malicious domain, myhelpcare[.]online.”
In September, CISA uncovered bi-directional traffic between an FCEB network and myhelpcare[.]cc. A deeper EINSTEIN analysis and incident response support found “related activity on many other FCEB networks.”
The FECB intrusion led to the discovery that the cybercriminals behind the campaign had been sending help desk-themed phishing emails to both the personal and government email addresses of FCEB federal employees.
The current, widespread campaign uses phishing emails to trick users into downloading legitimate RMM software, according to the joint CISA, National Security Agency, and Multi-State Information Sharing and Analysis Center (MS-ISAC) alert.
“Threat actors often target legitimate users of RMM software,” including managed service providers (MSPs) and IT help desks that often use legitimate RMM software for technical and security end-user support, network management, endpoint monitoring, and to interact remotely with hosts for IT-support functions,” according to the alert.
They aim to “exploit trust relationships in MSP networks and gain access to a large number of the victim MSP's customers,” the alert added. “MSP compromises can introduce significant risk — such as ransomware and cyber espionage — to the MSP’s customers.”
The malicious emails contain either a link to “first-stage” malicious domains or prompt recipients to call the actors, who then attempt to trick recipients into visiting the first-stage malicious domain. When the victim visits the nefarious domain, an executable is triggered for download and connects to a “second-stage” malicious domain, then downloads additional RMM software.
In the activity discovered by CISA, the actors were using a refund scam to steal money from victim bank accounts through ScreenConnect, or ConnectWise Control, and AnyDesk.
What’s more, the threat actors don’t install downloaded RMM clients on the compromised host. Instead, they install “AnyDesk and ScreenConnect as self-contained, portable executables configured to connect to the actor’s RMM server.” These portable executables do not require users’ context or administrator privileges for installation.
Notably, “using portable executables of RMM software provides a way for actors to establish local user access without the need for administrative privilege and full software installation — effectively bypassing common software controls and risk management assumptions.”
As such, unapproved software can be executed “even if a risk management control may be in place to audit or block the same software’s installation on the network,” the alert warns. “Actors can leverage a portable executable with local user rights to attack other vulnerable machines within the local intranet or establish long term persistent access as a local user service.”
The campaign is financially motivated and could lead to further malicious activity, such as the sale of victims’ account access to other cybercriminal or advanced persistent threat actors.
CISA has even detected some phishing attacks’ first-stage malicious domain links periodically redirecting users to other sites for further redirects and downloads of RMM software. Once a user has downloaded the RMM software, the actors use the software to launch a refund scam that initiates a connection to the victim’s system and manipulates the user to log into their bank account while connected to the system.
The threat actors’ RMM access can allow them to modify the user’s bank account summary to appear as if they were “mistakenly refunded an excess amount of money. The actors then instructed the recipient to “refund” this excess amount to the scam operator.”
Silent Push’s Threat Intelligence Team uncovered the typosquatting activity in October when searching for PayPal typosquatting domains. The researchers found an entire threat “network masquerading as numerous global brand names and infecting machines with a malicious file disguised as a remote monitoring tool - WinDesk.Client.exe.”
The large trojan operation mimics Amazon, Microsoft, Geek Squad, McAfee, Norton, and Paypal domains.
All organizations are strongly encouraged to review the provided indicators of compromise and recommended mitigations to protect against the malicious use of legitimate RMM software. The alert contains observed first-stage domain naming patterns and other tactics used by these threat actors.