Cybersecurity researchers at ANY.RUN have identified a sophisticated phishing-to-RMM attack campaign. Cybercriminals are mimicking legitimate sites like Microsoft and Adobe to distribute remote management tools such as ScreenConnect and LogMeIn Rescue under false pretenses.
This type of attack is particularly challenging to detect due to the authentic nature of the payloads and infrastructure used. Security analysts must piece together the entire sequence, from the initial phishing lure to the execution of RMM software, to thwart potential threats.
Geographical and Sector-Specific Impact
ANY.RUN’s findings indicate that these phishing-to-RMM activities are most prevalent in the United States, followed by regions such as Canada, Europe, and Australia. Industries heavily impacted include Education, Technology, Banking, Government, Manufacturing, and Finance. These sectors routinely use remote administration, making it harder to discern malicious RMM activity at first glance.
For security professionals, simply identifying the presence of tools like ScreenConnect or LogMeIn Rescue is insufficient. The context of the download, the source page, and the user’s expectations are crucial for accurate threat identification.
Mechanisms of Phishing-to-RMM Attacks
Within the ANY.RUN sandbox, researchers have traced various phishing-to-RMM pathways. These attacks often exploit well-known brands and legitimate remote access tools to infiltrate systems.
For instance, a phishing page posing as the Microsoft Store may prompt users to download a file named Adobesetup.exe. This file, however, is a ScreenConnect installer, granting attackers remote access once executed.
Detailed Attack Scenarios
In another scenario, a fake OneDrive download page deceives users into clicking a “Verify to Download” prompt, which results in the download of ScreenConnect.ClientSetup.exe. This attack is particularly insidious because the phishing page is hosted on a legitimate platform, complicating detection efforts.
Additionally, researchers observed the deployment of a VBS script masquerading as an Adobe document. Upon execution, this script disables security features and installs LogMeIn Rescue, enabling remote access without user consent.
Detection of these threats requires a comprehensive overview of the attack chain, from the phishing page to the execution and subsequent connections. Behavioral analysis in a sandbox environment is essential to unveil these complex attack sequences.
Enhancing Detection and Response
Traditional detection methods often fall short because the final payloads appear legitimate. Security analysts must focus on the entire sequence of events, including the phishing lure, download behavior, and resulting network connections, to accurately assess threats.
Utilizing tools like ANY.RUN can significantly improve threat response times, reducing the Tier 1 workload by up to 20% and cutting down on unnecessary escalations. This enables teams to act swiftly and prevent potential business impacts.
By adopting cloud-based analysis, organizations can enhance threat visibility, streamline threat response, and ultimately protect their assets from sophisticated phishing-to-RMM attacks.
