Cyber Security News

Hackers Use RMM Tools to Maintain Persistence and Navigate Networks Undetected

Threat actors have increasingly been leveraging legitimate remote monitoring and management (RMM) software to infiltrate and navigate through networks undetected.

RMM tools, such as AnyDesk, Atera Agent, MeshAgent, NetSupport Manager, Quick Assist, ScreenConnect, Splashtop, and TeamViewer, are widely used by organizations for essential IT tasks like system updates, asset management, and endpoint troubleshooting.

However, their legitimate nature makes them difficult to flag as malicious, allowing hackers to exploit them for malicious purposes.

Exploitation Techniques

Hackers typically gain access to RMM software by compromising user credentials through social engineering tactics or by exploiting vulnerabilities in outdated software.

Once inside, they use these tools to map the network, identify valuable assets, and move laterally using harvested credentials.

This allows them to exfiltrate sensitive data, deploy ransomware, or launch further attacks.

To maintain persistence, attackers often install additional remote access tools (RATs) that serve as backups for remote desktop sessions or establish reverse connections to adversary-controlled servers.

In recent campaigns, threat actors have used RMM software to convincingly impersonate IT support personnel, tricking victims into installing remote access software under false pretenses.

For instance, the Black Basta ransomware group has been known to use spam attacks followed by impersonation calls to persuade victims to install RMM tools like AnyDesk or TeamViewer.

Once installed, these tools enable attackers to install additional malware or maintain persistent access to compromised systems.

query logic

Threat Hunting and Detection

According to Intel471 Report, detecting malicious use of RMM tools requires targeted threat hunting strategies.

Security teams can start by checking if unauthorized RMM applications are running on the network.

If RMM tools are allowed, investigators should look for abnormal execution locations, such as running from unusual directories rather than standard paths like AppData or Program Files.

Utilizing security incident and event management (SIEM) tools, endpoint detection and response (EDR) software, and logging aggregation platforms can help identify suspicious activity.

For example, a hunt package for detecting AnyDesk execution from abnormal folders can be used with tools like Splunk or Microsoft Sentinel to uncover potential malicious activity.

Once detected, further investigation can involve tracing network connections and monitoring for next-stage payloads.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free. 

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

AI-Driven Fake Vulnerability Reports Flooding Bug Bounty Platforms

AI-generated bogus vulnerability reports, or "AI slop," are flooding bug bounty platforms, which is a…

2 minutes ago

Microsoft Bookings Vulnerability Allows Unauthorized Changes to Meeting Details

Security researchers have uncovered a significant vulnerability in Microsoft Bookings, the scheduling tool integrated with…

36 minutes ago

Nmap 7.96 Released with Enhanced Scanning Capabilities and Updated Libraries

The popular network mapping and security auditing tool Nmap has released version 7.96, featuring a…

1 hour ago

Cisco IOS XE Vulnerability Allows Attackers to Gain Elevated Privileges

Cisco has issued an urgent security advisory (ID: cisco-sa-iosxe-privesc-su7scvdp) following the discovery of multiple privilege…

1 hour ago

Cisco IOS, XE, and XR Vulnerability Allows Remote Device Reboots

 Cisco has issued an urgent security advisory (cisco-sa-twamp-kV4FHugn) warning of a critical vulnerability in its…

4 hours ago

OpenCTI: Free Cyber Threat Intelligence Platform for Security Experts

OpenCTI (Open Cyber Threat Intelligence) stands out as a free, open source platform specifically designed…

5 hours ago