"Cybersecurity researchers have disclosed details of a new dual-vector campaign that leverages stolen credentials to deploy legitimate Remote Monitoring and Management (RMM) software for persistent remote access to compromised hosts. "Instead of deploying custom viruses, attackers are bypassing security perimeters by weaponizing the necessary IT tools that administrators trust," KnowBe4 Threat Labs researchers Jeewan Singh Jalal, Prabhakaran Ravichandhiran, and Anand Bodke said. "By stealing a 'skeleton key' to the system, they turn legitimate Remote Monitoring and Management (RMM) software into a persistent backdoor.""
"The bogus emails are disguised as an invitation from a legitimate platform called Greenvelope, and aim to trick recipients into clicking on a phishing URL that's designed to harvest their Microsoft Outlook, Yahoo!, AOL.com login information. Once this information is obtained, the attack moves to the next phase. Specifically, this involves the threat actor registering with LogMeIn using the compromised email to generate RMM access tokens,"
The campaign uses a two-wave approach: first, phishing emails masquerading as Greenvelope invitations harvest Microsoft Outlook, Yahoo!, and AOL.com credentials. Next, the attacker registers with LogMeIn using the compromised email to generate RMM access tokens. An executable named "GreenVelopeCard.exe", signed with a valid certificate, contains a JSON configuration that silently installs LogMeIn Resolve and connects to an attacker-controlled URL. The deployed RMM is configured to run with unrestricted Windows privileges. Hidden scheduled tasks are created to relaunch the RMM automatically if terminated, providing persistent remote access and covert control of compromised hosts.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]