"Researchers at Proofpoint late last month uncovered what they describe as a "weird twist" on the growing trend of criminals abusing remote monitoring and management software (RMM) as their preferred attack tools. These folks created an entirely fake RMM vendor that purports to sell enterprise software for $300 a month. In fact, it's a remote access trojan (RAT) being sold as a service. Call it a RATaaS."
"The criminals behind the malware took great care to make their product appear legitimate, giving it the name TrustConnect. They even built a fake business website and obtained a legitimate Extended Validation code-signing certificate to digitally sign malware and allow it to bypass security controls. At first, the crooks even fooled Proofpoint's threat hunters themselves. "Initially, TrustConnect appeared to be another legitimate RMM tool being abused," the company's research team said in a Thursday post."
"Criminals prefer using legitimate, commercial software for nefarious purposes because it makes it easier for them to hide inside enterprise IT environments. Over the past year or so, RMM tools have moved to the top of attackers' must-have list. There are many of them to choose from, enterprises already use and trust many of these tools, and they provide a direct, remote pipeline to victims' machines for deploying ransomware, info-stealers, and other malware, and maintaining long-term access to infected systems."
Criminals created TrustConnect, an entirely fake RMM vendor that actually packages a remote access trojan (RAT) and offers it as a subscription service. The operators built a convincing business website, obtained an Extended Validation code-signing certificate to digitally sign malware, and used those artifacts to bypass security controls. The deception initially fooled security teams and leveraged the trust enterprises place in legitimate RMM tools to create stealthy, direct remote pipelines into victim machines. RMM abuse surged, with incidents jumping dramatically and composing a significant share of observed intrusions, because these tools facilitate ransomware, data theft, and persistent access.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]