Attackers use portable executables of remote management software to great effect

2023-01-26 11:16

Tricking users at targeted organizations into installing legitimate remote monitoring and management software has become a familiar pattern employed by financially motivated attackers.

After discovering the maliciously installed software on a system at one of the FCEB agencies, CISA went searching for and found more thusly compromised systems at other agencies.

The goal is to get the recipient to call a specific phone number manned by the attackers, who then try to convince the target to install the remote management software.

"CISA noted that the actors did not install downloaded RMM clients on the compromised host. Instead, the actors downloaded AnyDesk and ScreenConnect as self-contained, portable executables configured to connect to the actor's RMM server," the agency explained.

"Portable executables launch within the user's context without installation. Because portable executables do not require administrator privileges, they can allow execution of unapproved software even if a risk management control may be in place to audit or block the same software's installation on the network. Threat actors can leverage a portable executable with local user rights to attack other vulnerable machines within the local intranet or establish long term persistent access as a local user service."

In the campaign found by CISA the actors used the RMM software to initiate a refund scam, but they could just as easily do other things with the achieved access.

News URL

https://www.helpnetsecurity.com/2023/01/26/attackers-remote-management-software/

#management #remote