One Article Review
| Source |  ProofPoint |
|---|---|
| Identifiant | 8655165 |
| Date de publication | 2025-03-07 09:07:33 (vue: 2025-03-12 02:07:53) |
| Titre | L'outillage de surveillance et de gestion à distance (RMM) de plus en plus un premier choix de l'attaquant \\ Remote Monitoring and Management (RMM) Tooling Increasingly an Attacker\\'s First Choice |
| Texte | Key findings More threat actors are using legitimate remote monitoring and management (RMM) tools as a first-stage payload in email campaigns. RMMs can be used for data collection, financial theft, lateral movement, and to install follow-on malware including ransomware. While threat actors have long used RMMs in campaigns and attack chains, their increased use as a first-stage payload in email data is notable. The increase in RMM tooling aligns with a decrease in prominent loaders and botnets typically used by initial access brokers. Overview More threat actors are using legitimate RMM tools in email campaigns as a first-stage payload for cyberattacks. RMM software is used legitimately in enterprises for information technology (IT) administrators to remotely manage fleets of computers. When abused, such software has the same capabilities as remote access trojans (RATs) and financially motivated threats are delivering RMM tools more often via email. In 2024, Proofpoint researchers observed a notable increase in the use of RMM tools from cybercriminal threat actors in documented campaigns, including using payloads such as ScreenConnect, Fleetdeck, and Atera. A campaign is defined by Proofpoint as a timebound set of related threat activity analyzed by Proofpoint researchers. Notably, while NetSupport had historically been the most frequently observed RMM in Proofpoint campaign data, its use dropped off throughout 2024 and other RMMs became much more prominent. This trend is continuing in 2025. The increased use of RMM tooling also aligns with a decrease in prominent loader and botnet malware most often used by initial access brokers in the realm of ecrime. RMMs and IABs Typically in attacks like ransomware, RMMs are used as part of an overall attack chain, and observed as a follow-on payload or technique once initial access has been achieved. The infection could originate through a loader delivered via email, or some other method. The use of RMMs in malicious activity is common, and threat actors can abuse these tools in many ways including leveraging existing remote administration tools within an environment or installing new RMM software on a compromised host for persistence and lateral movement. Threat actors conducting telephone-oriented attack delivery (TOAD) attacks frequently use RMM tools. In these attacks, a threat actor will send an email with a phone number included either in the body text or an attached PDF, typically using invoice lures. The recipient is instructed to call the phone number to dispute the invoice, but the phone number belongs to the threat actor who will ultimately direct the recipient to install an RMM or other malware once they get them on the phone. Payloads typically delivered by TOAD actors include AnyDesk, TeamViewer, Zoho, UltraViewer, NetSupport, and ScreenConnect. The use of RMMs as a first-stage payload delivered directly via email was not as common as other malware delivery in Proofpoint campaign data prior to 2024, with most of such campaigns since 2022 delivering NetSupport. However, the presence of RMMs in campaign data began increasing in mid-2024, with ScreenConnect in particular appearing much more frequently. Campaigns from January 2022 through December 2024 that include RMM tooling. Interestingly, the increase of RMMs observed in Proofpoint data aligns with the decrease in observed loaders and botnets popular with initial access brokers (IABs) in email campaign data, which historically comprised a large part of the overall threat landscape. Proofpoint has observed multiple tracked IABs considerably decrease activity or disappear altogether from email campaign data since mid-2024, including TA577, TA571, and TA544. It is likely these actors are either retooling or using other initial access methods instead of email. For example, TA577 campaigns have previously been observed leading to Black Basta ransomware. Third-party reportin |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | 0050 0050 0891 109 150 155 157 168 185 2022 2023 2024 2025 2025 2025; 2025 2054938 2056777 213 215/xxx 247 249 2833909 2836266 2837962 2857201 2b23i88rvlqml 2bacgdqbegbcs9 2bc5eljjtyrufel0gvqegearzyszyois4ijui8mggkzw9tytw5tqhqcpuqewdsbe0f0ttbwiuk6mfp0l7wpimwpbdzvxtmymwsxz8jzg39f6e1w8cqhzlh0aqjx9uvqgivogbjb0mfxwurvi9erahw 2bcqeqglsz1dpjnd543dqlluph&s=c242c8a1 2bd 2bhdk35q63ny 2bwkxwptsr99acbacewvhhej11zt9zphmmaluuxtiyns06xpjtjzglt5hvmbl15ureewbwhhwieva2s 2bz 2fu 2fxcicjo5hhyar3ng5qwkhgke4k5jxegbs35nlncjh1l6g 43b3 4689 46980 4c4e15513337db5e0833133f587e0ed131d4ebb65bb9a3d6b62a868407aae070 500 67789c4f3a34&i=&e=support&y=guest&r= 6914 71:443 8deb 9773 97b35a7673ae59585ad39d99e20d9028ac26bbccb50f2302516520f544fe637e BlueTra Blueitra Bluetra December IO/API/ abuse abused access according account accounts accounts achieved active activity actor actors added addition additionally administration administrators adopt adopted agent alert aligns also although altogether amazonaws analysis analyzed anti anticipates anticlouds any anydesk appearing approved are associated astaroth asyncrat atencion atera ato attached attachment attachments attack attacker attacks attempt attribute available b8fd2b4601b09aacd760fbede937232349bf90c23b35564ae538ed13313c7bd0 banking base64 based basta became because been began belongs best bill bitbucket black black/ blockchain bluetrait body both botnet botnets brazil brazilian brokering brokers browser bumblebee businesss but call calls campaign campaigns can canada canary capabilities cat&c=&c=&c=&c=&c=&c=&c= cfe chain chainalysis chains checkin choice client clientsetup cluster co/bin/recently code collaborating colleagues collection com com&p=443&k=bgiaaackaabsu0exaagaaaeaaqbtb com/re com/region command commercially common commonly compressed comprised compromised computers conclusion conduct conducted conducting conducts configuration confirmation confirmed connection connectwise considerably consumer contain contained containing contains continuing control conventions could co cracked create credential current currently cyberattacks cybercriminal data day ddns de/top/ december declined decrease defined deliver delivered delivering delivers delivery deployed description designated detection detections dfir different direct directly disappear dispute disrupted disruption distribute distributed distributing dmm dns documented does domain download downloaded drastic dropbox dropped due e=access&y=guest&c=black e=access&y=guest&s=1fa76235 each easily east easy ecrime edition efficacy effort either email emails emerging employ encoded end endgame endpoint energy enforcement engineering english enterprises environment environments es/bin/attachment es/bin/statement esignals establish estatementforum etpro evade ever example examples exclusively exe executable executables executed exfiltration existing expansion exploitation extent fairly fake families farrarscieng feba750a3852&i=buss1 fell file files financial financially findings fired firing firm first fleetdeck fleets follow followed following following: following: free french frequently from function functionally get given global goal godaddy grandoreiro groups h=instance had half handful has have highly historic historically host hosting hosts however html html http hxxp://45 hxxp://www hxxps: hxxps://3650ffice hxxps://online hxxps://region hxxps://retireafter5m hxxps://safelink hxxps://ssastatementshelpcenter iab iabs iabs icedid identical identified identify impersonating incidents include included includes including increase increased increasing increasingly indicate indicator infection information infrastructure initial inject install installation installed installers installing instance instead instructed integrated intelligence interesting interestingly internal invoice invoice007 invoicesing iocs its itself january javascript june just kalika key known landscape language larg |
| Tags | Ransomware Malware Tool Threat Legislation Prediction |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.