Threat Research

Remote Monitoring & Management software used in phishing attacks | Malwarebytes

Securonix

RMM software like AnyDesk, Atera, and Splashtop can be abused by criminals to infiltrate networks through social engineering and phishing. Attackers lure employees to download remote desktop software disguised as a benign live chat app, gaining control of the victim’s machine; ThreatDown provides blocking measures to mitigate such misuse. #AnyDesk #ThreatDown #Barclays #BankOfIreland #Santander #RMM

Keypoints

  • RMM tools are attractive to criminals because they legitimate remote access into networks.
  • Phishing emails and smishing are used to direct employees to download remote desktop software disguised as a live chat application.
  • Some phishing domains mimic financial institutions and host references to remote-access software to deceive victims.
  • The downloaded software is presented as legitimate (though outdated) AnyDesk, helping it evade typical malware detection.
  • Once run, the software can display a code that lets an attacker gain remote control of the machine.
  • Threat actors register phishing domains and leverage multiple RMM tools, with some banks’ anti-remote-program features challenging attackers.

MITRE Techniques

  • [T1204] User Execution – Attackers rely on users downloading and running remote desktop software that’s disguised as a benign tool. ‘Users are directed to newly registered websites that mimic their financial institution. In order to get support, they need to download remote desktop software disguised as a ‘live chat application’.’
  • [T1566] Phishing – Phishing emails or smishing lure recipients to phishing pages and prompt downloading remote access software masked as legitimate help tools. ‘Attackers could trick them by sending them to a typical phishing page or making them download malware…’
  • [T1021] Remote Services – Attackers gain control of the machine via remote desktop tools like AnyDesk after the user runs the program. ‘This can allow an attacker to gain control of the machine and perform actions that look like they came directly from the user.’
  • [T1036] Masquerading – The use of a legitimate (though outdated) AnyDesk executable to avoid detection. ‘the downloaded software is not malware. For example, in this instance they are using a legitimate (although outdated) AnyDesk executable which would not be detected as malicious by security products.’
  • [T1583] Acquire Infrastructure – Threat actors register phishing domains to host these attack pages targeted at financial institutions. ‘Threat actors have registered phishing domains for different financial institutions…’

Indicators of Compromise

  • [Domain] Phishing domains – uk-barclaysliveteam[.]com, barclaysbusinesslivechat[.]com, boi-bb-onlineservice[.]com, santanderbusiness-helpcentre[.]com

Read more: https://www.malwarebytes.com/blog/news/2024/02/remote-monitoring-management-software-used-in-phishing-attacks