Threat hunters at Red Canary have warned that cybercriminals are tricking victims into installing popular Remote Monitoring and Management (RMM) tools as part of phishing campaigns.
Threat hunters at Red Canary have warned that cybercriminals are tricking victims into installing popular Remote Monitoring and Management (RMM) tools as part of phishing campaigns.
RMM tools are used by IT professionals to manage corporate devices. They enable remote access, system monitoring, and application control.
When deployed by cybercriminals, they can be used as a springboard to install malware, steal data, or take over high value admin accounts.
RMM software is unlikely to be picked up by Endpoint Detection and Response (EDR) or endpoint protection software as it’s not a malicious tool in itself – attackers simply exploit it.
“Adversaries often use RMM tools in a stealthy and effective way to retain control over compromised systems without raising immediate alarms,” Red Canary threat researchers said.
“Hands-on-keyboard actions allow the adversary to modify their behaviors so they blend in with day-to-day administrator activity, complicating detection.”
What to watch out for
Red Canary threat researchers detected four common phishing lures encouraging victims to deploy a hacker-controlled RMM onto their system.
- Fake browser updates: A user visits a fake web page (often a compromised sports page) and is asked to update Chrome, which begins an RMM download.
- Meeting invitations: A target is sent a fake Zoom or Teams invite, with a link to download or update the meeting app. The download redirects to an RMM tool.
- Party invitations: An e-invite tricks users to download an app to view a personalized invitation.
- Fake government forms: A user is sent a form impersonating a government service, requesting the user download a form to be filled out. This triggers the RMM download.
The specific RMM tool supplied varied throughout these campaigns, including ITarian, PDQ, SimpleHelp, and Atera.
Some of the campaigns were observed downloading two RMM systems simultaneously onto the target system, making it less likely both would be caught and removed by the user.
“Key indicators of malicious activity often include changing the filename, downloading and running the tool from a non-standard directory, downloading an RMM installer from a domain not connected to the RMM product, or initiating suspicious network connections,” Red Canary said.
Why this matters
Hackers have long been using RMM and remote access style tools in phishing attacks and social engineering.
But these threats show no sign of stopping and organizations must consider robust protections to protect their users and data.
Tech support scams, in which hackers impersonate computer support professionals and trick users into installing a remote access tool have been observed frequently over the years.
In 2023, CISA issued a warning to network defenders about the malicious use of RMM software after a widespread campaign was observed in October 2022.
“Specifically, cybercriminal actors sent phishing emails that led to the download of legitimate RMM software—ScreenConnect (now ConnectWise Control) and AnyDesk—which the actors used in a refund scam to steal money from victim bank accounts,” CISA wrote.
“Given the relative ease with which realistic looking phishing emails and websites can be created, it is vital for organizations to implement security controls and detection capabilities,” Red Canary says.
“Implementing network controls like browser isolation or monitoring for suspicious newly registered domains can help identify and contain these compromises at their earliest stages.”
The team also recommends investing in endpoint detection and response, monitoring all known RMM tools, keeping an approved tools list, and monitoring for suspicious and newly registered domains.
