Threat Research

CAMO Unveiled: How Cybercriminals Exploit Legitimate Software for Stealthy Attacks – ReliaQuest

Reliaquest

The article analyzes CAMO (Commercial Applications, Malicious Operations), a trend where threat actors abuse legitimate IT tools to conduct malicious operations and evade detection, with ReliaQuest promoting GreyMatter Hunt to baseline assets and spot misuse. It highlights tools like PDQ Deploy, AnyDesk, and SoftPerfect as commonly abused, and recommends countermeasures such as application whitelisting and network segmentation. #CAMO #GreyMatterHunt #PDQDeploy #AnyDesk #SoftPerfect #Medusa #BlackBasta #CozyBear

Keypoints

  • CAMO describes attackers abusing legitimate IT tools to bypass security and complicate investigations.
  • ReliaQuest recommends GreyMatter Hunt to baseline tools and detect malicious usage.
  • Common CAMO tools include remote monitoring/management software, software deployment tools, and network scanners.
  • Case studies show CAMO-enabled ransomware activity (e.g., Medusa using PDQ Deploy; Total Software Deployment enabling lateral movement).
  • Social engineering and trust in legitimate tools help attackers deceive users and avoid detections (e.g., Black Basta using AnyDesk).
  • Mitigations include network segmentation and application whitelisting to restrict the use of CAMO tools.
  • The threat landscape suggests CAMO will persist, with both financially motivated groups and some nation-state actors integrating legitimate behaviors.

MITRE Techniques

  • [T1059.001] PowerShell – PDQ Deploy can execute files such as PowerShell scripts, batch files, and executables. Quote: “PDQ Deploy can also execute files such as PowerShell scripts, batch files, and executables.”
  • [T1003] Credential Dumping – Threat actors obtain credentials from OS memory, cache, or databases. Quote: “credential dumping” (obtaining additional credentials through either cleartext or hashed passwords from OS memory, cache, or databases, a technique known as credential dumping).
  • [T1021.001] Remote Services – PSExec and WMIC used to spread and execute ransomware encryptors. Quote: “Windows operating system utilities like PSExec and WMIC to spread and execute ransomware encryptors.”
  • [T1036] Masquerading – Renaming Restic to evade detection. Quote: “renamed it as ‘winupdate.exe’.”
  • [T1046] Network Service Scanning – SoftPerfect network scanner to identify ports, services, and file shares. Quote: “The SoftPerfect network scanner can accomplish the same tasks as Nmap—including identifying ports, services, and file shares—without appearing to be malicious.”
  • [T1567.002] Exfiltration to Cloud Storage – Data exfiltration via Mega cloud storage using Rclone. Quote: “”Data exfiltration” to steal data via a cloud account with the Mega storage platform.”
  • [T1041] Exfiltration – Exfiltration of data to an attacker-controlled server. Quote: “exfiltrate files to an attacker-controlled server.”

Indicators of Compromise

  • [File] CAMO-related artifacts observed during incidents – !!!READ_ME_MEDUSA!!!.txt, winupdate.exe

Read more: https://www.reliaquest.com/blog/camo-legit-software-threat