Keypoints
- Adversaries abuse legitimate RMM tools (Atera, Splashtop, NetSupport, AnyDesk) to gain C2, persistence, file transfer, and remote control, often preceding ransomware deployments (Hive, BlackCat/ALPHV, Royal).
- Atera installs to C:Program Files (x86)ATERA Networks with a service named “AteraAgent” running as NT AUTHORITYSYSTEM and makes regular heartbeat connections to atera-agent-heartbeat-cus.servicebus.windows[.]net.
- NetSupport commonly runs as Client32.exe (service name Client32) and has been delivered via heavily obfuscated PowerShell or JavaScript loaders; attackers have used it to transfer and execute renamed binaries and sideload malicious DLLs.
- AnyDesk can be executed without installation (AnyDesk.exe) or installed as a service; network indicators include relay-*.net.anydesk[.]com and playanext[.]com (cloudfront redirects).
- Detectable artifacts include service creation (Windows event 7045), process start (Windows 4688 / Sysmon 1), network connections (Windows 5156 / Sysmon 3, DNS Sysmon 22), image loads (Sysmon 7), file creates (Sysmon 11), and registry changes (Sysmon 13).
- Securonix provides provisional detections and hunting queries keyed to process names, service names, registry paths, DNS hostnames, and specific command lines to quickly surface unauthorized RMM usage.
MITRE Techniques
- [T1543] Create or Modify System Process – RMM agents install services for persistence: [‘service named “AteraAgent” which runs on startup as the “NT AUTHORITYSystem” user.’]
- [T1059.001] PowerShell – Delivery and execution via obfuscated PowerShell droppers/loaders: [‘installed using PowerShell dropper or loader malware to load and execute the NetSupport client payload.’]
- [T1574.001] DLL Side-Loading – Attackers sideloaded a malicious DLL by hijacking the search order: [‘X64.exe was executed by the attackers which sideloaded dwmapi.dll using a search order hijacking technique.’]
- [T1105] Ingress Tool Transfer – RMM file-transfer capabilities were used to drop ransomware and tools onto victims: [‘As the Atera agent supports file transfer, the attackers were able to drop two unique ransomware binaries on the victim machine and then execute them.’]
- [T1071.001] Application Layer Protocol: Web Protocols – RMM clients make regular heartbeat/network connections to cloud endpoints for C2: [‘regular heartbeat connections from the AteraAgent.exe binary to “atera-agent-heartbeat-cus.servicebus.windows[.]net”.’]
- [T1566] Phishing – Initial access and delivery vectors included targeted phishing leading to RMM installers or loaders: [‘Most identified samples, after being delivered via phishing emails, were discovered being installed using PowerShell dropper or loader malware.’]
Indicators of Compromise
- [File names] agent and loader executables – AteraAgent.exe, client32.exe, AnyDesk.exe (used as installed service binaries or launched directly).
- [Service names] Windows services used for persistence – AteraAgent (Atera), Client32 (NetSupport), AnyDesk (AnyDesk service) — visible via event 7045 and service listings.
- [Domains/Hostnames] C2/heartbeat and CDN hosts – atera-agent-heartbeat-cus.servicebus.windows[.]net; geo.netsupportsoftware[.]com; relay-[RANDOM].net.anydesk[.]com; playanext[.]com (and redirect to [RANDOM].cloudfront[.]net).
- [Registry key] installation/registry artifacts – HKLMSOFTWAREATERA Networks (examples in Windows registry entries pointing to agent executables).
- [Command lines/paths] installer/dropper execution traces – “C:WindowsTEMP~nsuA.tmpAu_.exe” /S _?=C:Program Files (x86)Splashtop…; C:Program Files (x86)AnyDeskAnyDesk.exe –service.
- [File paths] dropped payload locations – C:Program Files (x86)ATERA NetworksAteraAgentAteraAgent.exe; C:UsersPublicMusicX64.exe and accompanying dwmapi.dll (sideloaded DLL example).
Rewritten technical procedure:
Identify RMM installations and unauthorized executions by focusing on persistent service creation, specific process names, and known install paths. Monitor for Windows service creation events (Event ID 7045) and correlate them with process start events (Windows 4688 or Sysmon 1) that reference executables in Program Files (x86) such as C:Program Files (x86)ATERA NetworksAteraAgentAteraAgent.exe, C:Program Files (x86)AnyDeskAnyDesk.exe, or client32.exe (NetSupport). Flag service names like AteraAgent, Client32, and AnyDesk and capture command-line arguments (e.g., AnyDesk.exe –service or installer flags) to distinguish legitimate managed deployments from anomalous or temporary launches from Temp folders.
Detect C2 and data transfer activity by logging and analyzing network events and DNS resolution for known RMM endpoints and CDN redirects. Collect Windows Security 5156 and Sysmon network events (3) plus Sysmon DNS (22) to spot heartbeats and relay connections to hosts such as atera-agent-heartbeat-cus.servicebus.windows[.]net, geo.netsupportsoftware[.]com, relay-*.net.anydesk[.]com, and playanext[.]com (cloudfront redirects). Combine network hits with process lineage (parent=msiexec.exe, PowerShell, or client32.exe) to surface cases where RMM clients were delivered by PowerShell loaders or JavaScript droppers and used to transfer or execute additional payloads.
Hunt for post-delivery techniques and artifacts that indicate lateral use or execution of transferred tools. Enable Sysmon image-load (7), file-create (11), and registry-change (13) telemetry to detect DLL side-loading (e.g., dwmapi.dll loaded by a renamed X64.exe in C:UsersPublicMusic) and dropped ransomware binaries; track PowerShell module/scriptblock logging (4103/4104) to capture obfuscated loader behavior. Use the provided process/service/name-based queries and alerts (process start for AteraAgent/client32/AnyDesk, registry keys under HKLMSOFTWAREATERA Networks, and DNS queries ending with atera-agent-heartbeat-cus.servicebus.windows[.]net or netsupportsoftware[.]com) to rapidly identify and investigate unauthorized RMM use.