Feds Alert of Malicious Usage of RMM Software in Callback Phishing Attacks

Cyber threat actors are more and more utilizing legit remote monitoring and management (RMM) software programs for their attacks, based on the latest joint advisory from the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC).

The campaign was initially discovered in October 2022 and entails callback phishing. The emails utilized in this campaign are hard for email security solutions to identify as malicious because they have no malicious URLs or file attachments. The emails inform the recipient regarding an upcoming bill and a telephone number is given in the email for the users to call when they would like to stop the charge being made.

The charges generally pertain to a software program that is ending a free trial. The user is informed that the total cost of the software will be billed to the user’s account in case no action is undertaken. Because of the high price of the software program, very likely the number will be contacted. The call is responded to and social engineering techniques are employed to persuade the user to go to a malicious website and download the software, which they are advised is needed to get rid of the software and stop the charge. The software connects to a second-stage domain and gets a mobile version of reputable remote access software like SceenConnect and AnyDesk. In case carried out, the software will link to the RMM server of the threat actor that would give access to the device of the user.

The self-contained, lightweight versions of these remote access programs don’t call for an installation, and therefore do not need administrator privileges. Companies might have safety controls ready to stop the installation of this software program on the system, however portable versions will circumvent these security settings and will enable the attacker to get access to the user’s device as a local user. They could then go on to other vulnerable machines in the local computer system or set up persistent access as a local user service. One of the primary goals of these attacks is to fool users into signing into their bank accounts to start a reimbursement scam. The attackers stay linked while the user uses their bank account, and the user’s bank account summary is changed to seem like an extra amount of money was returned. The user was then informed to return the extra to the scammer.

CISA carried out a retrospective evaluation of the federal civilian executive branch (FCEB) intrusion detection system (IDS) according to third-party reporting and found malicious activity on two FCEB systems that were breached employing this method. Further examination discovered malicious activity on a lot of other FCEB networks, which the companies could connect to a wider financially inspired phishing campaign, associated with a typosquatting campaign found by Silent Push that spoofed Microsoft, McAfee, Amazon, Norton, Geek Squad, and PayPal domains. At first, this campaign concerned helpdesk-inspired email messages that instructed users to a site spoofing one of these brand names, then they began doing callback phishing attacks. The campaign is in action since June 2022.

Even though this campaign utilizes AnyDesk and ScreenConnect, other kinds of RMM software can be manufactured into self-contained mobile executables. These kinds of attacks are much less difficult to carry out than making custom malware that gives remote access and spreads that malware in phishing emails. The government institutions encourage all FCEB agencies and network defenders at other companies to evaluate the Indicators of Compromise (IOCs) and mitigations given in the security notification to safeguard against the malicious use of RMM software.