Threat actors are increasingly using legitimate remote monitoring and management (RMM) tools as initial payloads in email campaigns. This trend aligns with a decrease in the use of traditional loaders and botnets by initial access brokers. RMMs can be exploited for data collection, financial theft, lateral movement, and installing additional malware. Notable RMM tools observed in campaigns include ScreenConnect, Fleetdeck, and Atera. The shift towards RMM usage coincides with law enforcement disruptions of major malware families and a decline in ransomware payments. Specific threat actors like TA583 and TA2725 have been observed incorporating RMMs into their attack strategies. Organizations are advised to restrict unauthorized RMM installations, implement network detections, and train users to identify suspicious activity. Author: AlienVault
Related Tags:
rmm
Bluetrait
Grandoreiro – S0531
Mispadu – S1122
Atera
Fleetdeck
T1036.002
email campaigns
T1102.002
Associated Indicators:
4C4E15513337DB5E0833133F587E0ED131D4EBB65BB9A3D6B62A868407AAE070
http://www.farrarscieng.com/re.php
https://safelink.vn/GESLx
http://45.155.249.215/xxx.zip
http://185.157.213.71:443
https://safelink.vn/OsDXr
https://retireafter5m.co/Bin/Recently_S_S_A_eStatementForum_Viewr5406991387785667481_Pdf.Client.exe?e=Access&y=Guest&s=1fa76235-0891-43b3-9773-feba750a3852&i=Buss1
https://kalika.bluetrait.io/api/
https://3650ffice.anticlouds.su/Fraud_Alert_black/