Key Takeaways
- Cybersecurity researchers have discovered a new dual-vector campaign that uses stolen credentials to deploy legitimate Remote Monitoring and Management (RMM) software for persistent remote access to compromised hosts.
- The attack involves two distinct waves: stealing victim credentials through fake invitation notifications and leveraging those credentials to deploy RMM tools.
- The threat actors use fake emails disguised as invitations from a legitimate platform to trick recipients into clicking on a phishing URL and harvesting their login information.
- Organizations can counter the threat by monitoring for unauthorized RMM installations and usage patterns.
Introduction to the Threat
Cybersecurity researchers have disclosed details of a new dual-vector campaign that leverages stolen credentials to deploy legitimate Remote Monitoring and Management (RMM) software for persistent remote access to compromised hosts. This type of attack is particularly concerning, as it bypasses traditional security perimeters by using trusted IT tools to gain access to systems. According to KnowBe4 Threat Labs researchers Jeewan Singh Jalal, Prabhakaran Ravichandhiran, and Anand Bodke, "Instead of deploying custom viruses, attackers are bypassing security perimeters by weaponizing the necessary IT tools that administrators trust." By stealing a "skeleton key" to the system, they turn legitimate Remote Monitoring and Management (RMM) software into a persistent backdoor.
The Attack Unfolds
The attack unfolds in two distinct waves, where the threat actors leverage fake invitation notifications to steal victim credentials, and then leverage those pilfered credentials to deploy RMM tools to establish persistent access. The bogus emails are disguised as an invitation from a legitimate platform called Greenvelope, and aim to trick recipients into clicking on a phishing URL that’s designed to harvest their Microsoft Outlook, Yahoo!, AOL.com login information. Once this information is obtained, the attack moves to the next phase. This phase involves the threat actor registering with LogMeIn using the compromised email to generate RMM access tokens, which are then deployed in a follow-on attack through an executable named "GreenVelopeCard.exe" to establish persistent remote access to victim systems.
Establishing Persistent Access
The binary, signed with a valid certificate, contains a JSON configuration that acts as a conduit to silently install LogMeIn Resolve (formerly GoTo Resolve) and connect to an attacker-controlled URL without the victim’s knowledge. With the RMM tool now deployed, the threat actors weaponize the remote access to alter its service settings so that it runs with unrestricted access on Windows. The attack also establishes hidden scheduled tasks to automatically launch the RMM program even if it’s manually terminated by the user. This allows the threat actors to maintain persistent access to the compromised system, even if the user attempts to remove the malware.
Countering the Threat
To counter the threat, it’s advised that organizations monitor for unauthorized RMM installations and usage patterns. This can be achieved by implementing robust security measures, such as multi-factor authentication and regular security audits. Additionally, organizations should educate their employees on the risks of phishing attacks and the importance of verifying the authenticity of emails before clicking on links or providing sensitive information. By taking these steps, organizations can reduce the risk of falling victim to this type of attack and protect their systems from unauthorized access.
Conclusion
The discovery of this new dual-vector campaign highlights the evolving nature of cyber threats and the need for organizations to stay vigilant in their security efforts. By leveraging stolen credentials and legitimate RMM software, threat actors can gain persistent access to compromised systems, making it essential for organizations to monitor for unauthorized RMM installations and usage patterns. As the threat landscape continues to evolve, it’s crucial for organizations to prioritize cybersecurity and implement robust security measures to protect their systems and data from these types of attacks. By doing so, organizations can reduce the risk of falling victim to cyber attacks and maintain the security and integrity of their systems.
