Trusted RMM tools weaponized for stealthy malware compromise

Threat actors have been leveraging remote monitoring and management tools to facilitate clandestine persistent backdoor compromise of enterprise environments as part of the new advanced dual-vector Skeleton Key attack campaign, according to SiliconANGLE.

Intrusions commenced with the delivery of Greenvelope invitation-spoofing emails that include a link diverting to a fake login page that sought to harvest targets' credentials, a report from KnowBe4 Threat Labs showed. Such credentials are then harnessed to produce legitimate RMM access tokens, with attackers later launching the "GreenVelopeCard.exe" file to inject the LogMeIn and GoTo Resolve tools to circumvent signature-based detection.

Additional stealth has been achieved by attackers through registry manipulation, Windows service exploits, and concealed scheduled tasks, as well as illicit traffic routing to GoTo infrastructure via encrypted HTTPS. Defending against such a threat necessitates increased monitoring of atypical tool usage, unauthorized RMM deployments, and dubious identity activity, according to researchers.