Remote Monitoring and Management (RMM) Tooling Increasingly an Attacker's First Choice

March 12, 2025, 4:31 p.m.

Description

Threat actors are increasingly using legitimate remote monitoring and management (RMM) tools as initial payloads in email campaigns. This trend aligns with a decrease in the use of traditional loaders and botnets by initial access brokers. RMMs can be exploited for data collection, financial theft, lateral movement, and installing additional malware. Notable RMM tools observed in campaigns include ScreenConnect, Fleetdeck, and Atera. The shift towards RMM usage coincides with law enforcement disruptions of major malware families and a decline in ransomware payments. Specific threat actors like TA583 and TA2725 have been observed incorporating RMMs into their attack strategies. Organizations are advised to restrict unauthorized RMM installations, implement network detections, and train users to identify suspicious activity.

External References

https://www.proofpoint.com/us/blog/threat-insight/remote-monitoring-and-management-rmm-tooling-increasingly-attackers-first-choice
https://otx.alienvault.com/pulse/67d1afa2d9e59f25878898b6
Tags
screenconnect
rmm
remcos
lumma stealer
asyncrat
remote access
cybercrime
grandoreiro
email campaigns
netsupport
astaroth
initial access
2025-03-12
guildma
atera
mispadu
bluetrait
fleetdeck

Date

  • Created: March 12, 2025, 4 p.m.
  • Published: March 12, 2025, 4 p.m.
  • Modified: March 12, 2025, 4:31 p.m.

Indicators

  • b8fd2b4601b09aacd760fbede937232349bf90c23b35564ae538ed13313c7bd0
  • 97b35a7673ae59585ad39d99e20d9028ac26bbccb50f2302516520f544fe637e
  • 4c4e15513337db5e0833133f587e0ed131d4ebb65bb9a3d6b62a868407aae070
  • 45.155.249.215
  • 185.157.213.71
  • 109.71.247.168
  • https://safelink.vn/OsDXr
  • https://safelink.vn/GESLx
  • https://retireafter5m.co/Bin/Recently_S_S_A_eStatementForum_Viewr5406991387785667481_Pdf.Client.exe?e=Access&y=Guest&s=1fa76235-0891-43b3-9773-feba750a3852&i=Buss1
  • https://online.invoicesing.es/Bin/Statement.ClientSetup.exe?e=Access&y=Guest&c=Black_Cat&c=&c=&c=&c=&c=&c=&c=\
  • https://kalika.bluetrait.io/api/
  • https://3650ffice.anticlouds.su/Fraud_Alert_black/
  • http://www.farrarscieng.com/re.php
  • http://45.155.249.215/xxx.zip
  • http://185.157.213.71:443
Download all indicators here!

Attack Patterns

  • Bluetrait
  • Mispadu - S1122
  • Atera
  • Fleetdeck
  • Grandoreiro - S0531
  • Guildma
  • Astaroth - S0373
  • ScreenConnect
  • Lumma stealer
  • Remcos
  • NetSupport
  • AsyncRAT
  • T1036.002
  • T1102.002
  • T1036.004
  • T1573.001
  • T1218.011
  • T1027.002
  • T1036.005
  • T1021
  • T1573
  • T1218
  • T1102
  • T1219
  • T1036
  • T1204
  • T1027
  • T1566
  • T1133
  • T1090
  • T1059

Additional Informations

  • Energy
  • Finance
  • Telecommunications
  • Government
  • Spain
  • Canada
  • France
  • Mexico
  • Ukraine
  • Brazil
  • United States of America