FOCUS MODE
EXTRACT IOC
Threat Research

Remote Monitoring and Management (RMM) Tooling Increasingly an Attacker’s First Choice

Proofpoint
Remote Monitoring and Management (RMM) Tooling Increasingly an Attacker’s First Choice
Threat actors are increasingly utilizing legitimate Remote Monitoring and Management (RMM) tools in email campaigns as a first-stage payload, leading to various cybercriminal activities such as data theft and ransomware installation. The rise of RMM tools corresponds with a decline in traditional loaders and botnets used by initial access brokers. Affected: email campaigns, cybercriminal sector, RMM tools

Keypoints :

  • Increased use of legitimate RMM tools as a first-stage payload in email campaigns by threat actors.
  • RMM software can facilitate data collection, financial theft, and lateral movement within networks.
  • Notable rise in RMM tool usage observed in 2024, with tools like ScreenConnect becoming more prominent.
  • Declining usage of traditional loaders and botnets by initial access brokers (IABs).
  • RMMs are commonly used in ransomware attacks as part of an overall attack chain.
  • TA583 and TA2725 are recent examples of threat actors utilizing RMM tools for initial access.
  • Operation Endgame disrupted major botnets, causing a shift to RMM tool usage.
  • Best practices recommended include restricting unauthorized RMM downloads and enhancing user training for suspicious activities.

MITRE Techniques :

  • Initial Access (T1071) – Threat actors utilize email campaigns to distribute RMM tools like ScreenConnect.
  • Execution (T1203) – Users executing RMM tools via phishing emails inadvertently allow remote access.
  • Credential Dumping (T1003) – Post-exploitation goals may include credential theft and account take-over.
  • Command and Control (T1071.001) – Usage of ScreenConnect for establishing a command and control channel.

Indicator of Compromise :

  • URL hxxps://region-businesss-esignals.s3.us-east-1.amazonaws[.]com/region-businesss-esignals-46980.html (Email URL for TA583)
  • URL hxxps://ssastatementshelpcenter[.]de/top/ (Redirect URL for TA583)
  • Domain retireafter5m[.]co (ScreenConnect C2 for TA583)
  • IP Address 109[.]71[.]247[.]168 (Email sender IP for UAC-0050)
  • Hash 185[.]157[.]213[.]71:443 (NetSupport C2 for UAC-0050)

Full Story: https://www.proofpoint.com/us/blog/threat-insight/remote-monitoring-and-management-rmm-tooling-increasingly-attackers-first-choice

Tags: DNS, PAYLOAD, FINANCIAL, BOTNET, PHISHING, PERSISTENCE, EMAIL, TOOL