Malicious actors are using multiple lures in new phishing campaigns designed to install remote monitoring and management (RMM) software onto victim machines, Red Canary has warned.
The Zscaler company explained in a blog post on Friday that it had observed several campaigns that abuse the ITarian (aka Comodo), PDQ, SimpleHelp and Atera tool for covert remote access.
It pointed to four specific lures:
- A fake browser update that the victim is redirected to after visiting an infected website. Once the user clicks on a “Update Chrome” button, they unwittingly download the ITarian RMM Microsoft Installer (MSI)
- A meeting invite, where victims are presented with fake meeting software installers such as Microsoft Teams and Zoom Installer. The end goal is to install either the Atera, PDQ or ScreenConnect RMM tool
- A party invitation, usually sent via email, with the lure of “Party Card Viewer” or “E-Invite.” An Atera RMM tool is delivered through a Cloudflare R2 object storage domain, which is trusted by the victim’s computer
- Government forms, such as Social Security statements, W9 forms and income tax returns. If the victim clicks through, they will begin an install of PDQ Connect, SimpleHelp or ScreenConnect. In some examples the adversary installs multiple RMM tools in quick succession
Read more on RMM threats: Ransomware Gang Exploits SimpleHelp RMM to Compromise Utility Billing Firm
Red Canary warned that RMM software could be used by threat actors to launch ransomware or data theft attacks.
“Given the relative ease with which realistic looking phishing emails and websites can be created, it is vital for organizations to implement security controls and detection capabilities,” it added.
“Implementing network controls like browser isolation or monitoring for suspicious newly registered domains can help identify and contain these compromises at their earliest stages.”
The security vendor urged enterprise security teams to mitigate the threat by:
- Deploying detection and response at the endpoint layer
- Maintaining an “approved tools list” and denying access to anything unauthorized
- Improving network visibility via preventive or monitoring controls for trusted services like Cloudflare R2 object storage domains. This could include enforcing browser isolation when domains deliver files with suspicious extensions or monitoring for suspicious newly registered domains
“To determine if a RMM tool is being used maliciously, it’s essential to understand its baseline of normal behavior,” Red Canary concluded.
“Key indicators of malicious activity often include changing the filename, downloading and running the tool from a non-standard directory, downloading an RMM installer from a domain not connected to the RMM product or initiating suspicious network connections.”
