Malicious actors are weaponizing legitimate Remote Monitoring and Management (RMM) tools, turning trusted IT software into a means for unauthorized system access. This strategy represents a significant shift from traditional malware attacks, as it exploits programs like LogMeIn Resolve (formerly GoToResolve) and PDQ Connect to gain full remote control over a victim's computer, bypassing many conventional security measures because the software itself is not inherently malicious.
Modus operandi
The core of this attack methodology lies in social engineering, where attackers trick individuals into installing these legitimate RMM applications under false pretenses. Security researchers have noted a significant increase in telemetry for detections labeled RiskWare.MisusedLegit.GoToResolve, indicating a rise in this type of threat. The attackers employ various deceptive tactics, including using misleading filenames for the installers.
One common method involves sending phishing emails that appear legitimate. For instance, an email sent to a user in Portugal contained a link that, when hovered over, pointed to a file hosted on Dropbox. By using a legitimate file-hosting service like Dropbox and a trusted RMM tool, attackers increase the likelihood of bypassing security software that might otherwise flag suspicious links or attachments .
In other cases, attackers set up fraudulent websites that perfectly mimic the download pages of popular free utilities like Notepad++ and 7-Zip, tricking users into downloading the malicious RMM installer instead of the software they were seeking.
When a victim clicks the malicious link, it delivers an RMM installer that has been pre-configured with the attacker’s unique "CompanyId." This hardcoded identifier automatically links the victim's machine directly to the attacker’s control panel.
This setup allows the attacker to instantly spot and connect to the newly compromised system without the need for stolen credentials or the deployment of additional malware . Because RMM tools are designed to run with administrative privileges, and their network traffic is often allowed by firewalls and other security solutions, the malicious remote access blends in with normal IT administrative traffic, making it extremely difficult to detect.
Mitigation tips
To defend against this evolving threat, it is crucial to be vigilant about the source of all software downloads .
- Download carefully: Always download software directly from the official developer's website or verified sources.
- Verify before installing: Check file signatures and certificates before running any installer to ensure they are from a trusted publisher.
- Question unexpected prompts: If you receive an unexpected prompt to update software, verify the notification through a separate, trusted channel, such as by visiting the official website directly .
- Stay updated: Keep your operating system and all installed software up to date with the latest security patches.
- Recognize social engineering: Learn to identify the deceptive tricks attackers use to push malicious downloads .