Case of Malware Distribution Exploiting LogMeIn and PDQ Connect

MITRE Techniques

• [T1071 ] Application Layer Protocol – PatoRAT communicates with C2 servers to exfiltrate information and receive commands (“contains the clientTag, mutex name, C&C server address list” and sends system info to C&C).
• [T1059 ] Command and Scripting Interpreter – Threat actors executed PowerShell commands through abused RMM tools to install PatoRAT (“the threat actor exploited LogMeIn to execute PowerShell commands and install PatoRAT”).
• [T1218 ] Signed Binary Proxy Execution – Use of legitimate RMM tools (LogMeIn Resolve, PDQ Connect) to execute malicious actions and bypass security controls (“LogMeIn Resolve … supports remote support … being exploited by various threat actors” to bypass detection).
• [T1566 ] Phishing (Drive-by Compromise variant) – Fake download pages masquerading as utility download sites delivered the RMM installer disguised as normal programs (“websites disguise themselves as the download page of free utilities such as Notepad++ and 7-Zip, but actually download the threat actor’s LogMeIn Resolve”).
• [T1078 ] Valid Accounts – Threat actors used LogMeIn CompanyId configurations to register and control legitimately installed RMM clients (“the “CompanyId” field is the ID of the administrator or threat actor who created the LogMeIn Resolve installation file”).
• [T1005 ] Data from Local System – PatoRAT collects local system information and steals browser credentials and other data (“send the following basic information about the system to the C&C server” and “Steal web browser credentials”).
• [T1083 ] File and Directory Discovery – PatoRAT gathers system and environment details (CPU, environment variables, computer name, volume serial) to build an infected system ID (“Infected System ID (Combination of information such as CPU, environment variables, computer name, and volume serial number)”).