RMM tools exploited in new phishing campaigns

Threat actors have been deceiving users into downloading various remote monitoring and management software in separate phishing campaigns, according to Infosecurity Magazine. Aside from using bogus browser updates that lead to the clandestine downloading of the ITarian RMM Microsoft Installer, attackers have also leveraged a meeting invite with fraudulent meeting software installers leading to the delivery of the ScreenConnect, Atera, or PDQ Connect RMM tools, a Red Canary report showed. Malicious actors have also distributed emails with party invitations that spread Atera through a Cloudflare R2 object storage domain. Another campaign involved the exploitation of Social Security statements and other government forms to distribute ScreenConnect, PDQ Connect, or SimpleHelp, researchers added. "To determine if a RMM tool is being used maliciously, it's essential to understand its baseline of normal behavior," said Red Canary, which noted filename modifications, tool downloads and executions from non-standard directories, and RMM installer downloads from unconnected domains as primary indicators of nefarious activity.