Alert Issued By CISA, NSA, And MS-ISAC On The Malicious Use Of Legitimate RMM Software

A joint Cybersecurity Advisory has been issued by the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) to alert network defenders of the potential malicious use of legitimate remote monitoring and management (RMM) software.

In October 2022, CISA used its trusted third-party reporting to conduct retrospective analysis of a federal civilian executive branch-wide intrusion detection system (EINSTEIN) and identified a widespread, financially motivated phishing campaign related to malicious typosquatting activity. The investigation uncovered that since June 2022, cybercriminals have been sending phishing emails to email addresses of FCEB federal staff, both private and government. These emails contain links to malicious domains or even ask the recipients to call the criminals in order to access the malicious domain. Once the recipient visits the initial malicious website, an executable is downloaded and then connected to a “second-stage” malicious domain, where more RMM software is downloaded. CISA stated that the actors did not install the downloaded RMM clients on the compromised host, instead they used AnyDesk and ScreenConnect as self-contained, portable executables that connect to the actor’s RMM server. Upon further examination and offering incident response aid, CISA uncovered activity on numerous FCEB networks.It’s believed that this is part of a wide-reaching phishing campaign driven by financial gain, as Silent Push (a leading threat intelligence solution provider) reported that malicious domains designed to resemble popular brands such as Norton, GeekSupport, Geek Squad, Amazon, Microsoft, McAfee, and PayPal have been used in the attack. In addition, CISA observed that the original phishing email contained a malicious domain which, when clicked, directed users to other websites and allowed downloads of RMM software.

After downloading the RMM software, the actors utilized it to perpetrate a refund scam. They first linked to the victim’s computer and urged them to log into their bank account while still connected. Then, the actors took advantage of the RMM software to alter the appearance of the victim’s bank account summary, making it seem as if they were wrongly refunded an exorbitant amount of money. Afterwards, the actors asked the recipient to “refund” this excess amount to the scam operator. CISA noted the importance for network defenders to be aware that malicious actors can use legitimate RMM software as a backdoor for persistence and Command and Control (C2). This type of activity, which appears to be financially motivated and targets individuals, could lead to additional malicious activity against the recipient’s organization from both other cybercriminals and Advanced Persistent Threat (APT) actors. Moreover, malicious actors can easily obtain RMM software as a single, executable package, which does not require administrative privileges or software management controls. CISA has noted that RMM software usually does not trigger antivirus or antimalware security measures, and can be used to bypass custom malware.