Date: 03/18/2025
Severity: High
Summary
Threat actors are increasingly using legitimate Remote Monitoring and Management (RMM) tools in email campaigns as an initial attack vector. While RMM software is essential for IT administrators, cybercriminals exploit it similarly to remote access trojans (RATs). In 2024, there was a rise in financially motivated cyber threats delivering RMM tools like ScreenConnect, Fleetdeck, and Atera via email. Proofpoint data shows a shift from NetSupport to other RMMs, marking an evolution in attacker tactics.
Indicators of Compromise (IOC) List
Domains\Urls : | https://region-businesss-esignals.s3.us-east-1.amazonaws.com/region-businesss-esignals-46980.html https://ssastatementshelpcenter.de/top/ https://retireafter5m.co/Bin/Recently_S_S_A_eStatementForum_Viewr5406991387785667481_Pdf.Client.exe?e=Access&y=Guest&s=1fa76235-0891-43b3-9773-feba750a3852&i=Buss1 retireafter5m.co https://safelink.vn/OsDXr https://safelink.vn/GESLx http://www.farrarscieng.com/re.php https://3650ffice.anticlouds.su/Fraud_Alert_black/ https://online.invoicesing.es/Bin/Statement.ClientSetup.exe?e=Access&y=Guest&c=Black_Cat&c=&c=&c=&c=&c=&c=&c=\ https://online.invoicesing.es/Bin/Attachment.Client.exe?h=instance-w08c5r-relay.screenconnect.com&p=443&k=BgIAAACkAABSU0ExAAgAAAEAAQBtb%2FXciCJO5hHyAR3NG5qwkHgKE4K5jxeGBs35Nlncjh1l6g%2B23I88rvlqmL%2FU%2BHDK35q63nY%2BZ%2BacGdqbEGbCs9%2BC5ELjJTyrUFEL0gVqegeArzyszYoIS4ijuI8mGGKzW9tytW5tQhqCPuQeWdSbe0f0ttBWIUk6MfP0L7WpImwpbDzvxtmyMWSxZ8JZg39F6e1w8cQHzLH0aqJX9uvQgIvogbJB0mFXWURVi9ErahW%2BwkXWptsr99acbACeWvHhej11zT9ZPHMMaluuXTiYnS06xPJTJZglT5hvMbl15uReewBWhhwiEVa2S%2BD%2BCQEQGLsz1dpJNd543dQllUPh&s=c242c8a1-6914-4689-8deb-67789c4f3a34&i=&e=Support&y=Guest&r= invoice007.zapto.org instance-udm3tv-relay.screenconnect.com https://kalika.bluetrait.io/api/ http://45.155.249.215/xxx.zip |
IP Address : | 109.71.247.168 185.157.213.71 |
Hash : | b8fd2b4601b09aacd760fbede937232349bf90c23b35564ae538ed13313c7bd0
97b35a7673ae59585ad39d99e20d9028ac26bbccb50f2302516520f544fe637e
4c4e15513337db5e0833133f587e0ed131d4ebb65bb9a3d6b62a868407aae070
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Domains\Urls : | userdomainname like "http://www.farrarscieng.com/re.php" or url like "http://www.farrarscieng.com/re.php" or userdomainname like "https://retireafter5m.co/Bin/Recently_S_S_A_eStatementForum_Viewr5406991387785667481_Pdf.Client.exe?e=Access&y=Guest&s=1fa76235-0891-43b3-9773-feba750a3852&i=Buss1" or url like "https://retireafter5m.co/Bin/Recently_S_S_A_eStatementForum_Viewr5406991387785667481_Pdf.Client.exe?e=Access&y=Guest&s=1fa76235-0891-43b3-9773-feba750a3852&i=Buss1" or userdomainname like "https://3650ffice.anticlouds.su/Fraud_Alert_black/" or url like "https://3650ffice.anticlouds.su/Fraud_Alert_black/" or userdomainname like "https://kalika.bluetrait.io/api/" or url like "https://kalika.bluetrait.io/api/" or userdomainname like "retireafter5m.co" or url like "retireafter5m.co" or userdomainname like "http://45.155.249.215/xxx.zip" or url like "http://45.155.249.215/xxx.zip" or userdomainname like "https://region-businesss-esignals.s3.us-east-1.amazonaws.com/region-businesss-esignals-46980.html" or url like "https://region-businesss-esignals.s3.us-east-1.amazonaws.com/region-businesss-esignals-46980.html" or userdomainname like "https://ssastatementshelpcenter.de/top/" or url like "https://ssastatementshelpcenter.de/top/" or userdomainname like "https://safelink.vn/OsDXr" or url like "https://safelink.vn/OsDXr" or userdomainname like "https://safelink.vn/GESLx" or url like "https://safelink.vn/GESLx" or userdomainname like "https://online.invoicesing.es/Bin/Statement.ClientSetup.exe?e=Access&y=Guest&c=Black_Cat&c=&c=&c=&c=&c=&c=&c=" or url like "https://online.invoicesing.es/Bin/Statement.ClientSetup.exe?e=Access&y=Guest&c=Black_Cat&c=&c=&c=&c=&c=&c=&c=" or userdomainname like "https://online.invoicesing.es/Bin/Attachment.Client.exe?h=instance-w08c5r-relay.screenconnect.com&p=443&k=BgIAAACkAABSU0ExAAgAAAEAAQBtb%2FXciCJO5hHyAR3NG5qwkHgKE4K5jxeGBs35Nlncjh1l6g%2B23I88rvlqmL%2FU%2BHDK35q63nY%2BZ%2BacGdqbEGbCs9%2BC5ELjJTyrUFEL0gVqegeArzyszYoIS4ijuI8mGGKzW9tytW5tQhqCPuQeWdSbe0f0ttBWIUk6MfP0L7WpImwpbDzvxtmyMWSxZ8JZg39F6e1w8cQHzLH0aqJX9uvQgIvogbJB0mFXWURVi9ErahW%2BwkXWptsr99acbACeWvHhej11zT9ZPHMMaluuXTiYnS06xPJTJZglT5hvMbl15uReewBWhhwiEVa2S%2BD%2BCQEQGLsz1dpJNd543dQllUPh&s=c242c8a1-6914-4689-8deb-67789c4f3a34&i=&e=Support&y=Guest&r=" or url like "https://online.invoicesing.es/Bin/Attachment.Client.exe?h=instance-w08c5r-relay.screenconnect.com&p=443&k=BgIAAACkAABSU0ExAAgAAAEAAQBtb%2FXciCJO5hHyAR3NG5qwkHgKE4K5jxeGBs35Nlncjh1l6g%2B23I88rvlqmL%2FU%2BHDK35q63nY%2BZ%2BacGdqbEGbCs9%2BC5ELjJTyrUFEL0gVqegeArzyszYoIS4ijuI8mGGKzW9tytW5tQhqCPuQeWdSbe0f0ttBWIUk6MfP0L7WpImwpbDzvxtmyMWSxZ8JZg39F6e1w8cQHzLH0aqJX9uvQgIvogbJB0mFXWURVi9ErahW%2BwkXWptsr99acbACeWvHhej11zT9ZPHMMaluuXTiYnS06xPJTJZglT5hvMbl15uReewBWhhwiEVa2S%2BD%2BCQEQGLsz1dpJNd543dQllUPh&s=c242c8a1-6914-4689-8deb-67789c4f3a34&i=&e=Support&y=Guest&r=" or userdomainname like "invoice007.zapto.org" or url like "invoice007.zapto.org" or userdomainname like "instance-udm3tv-relay.screenconnect.com" or url like "instance-udm3tv-relay.screenconnect.com" |
IP Address : | dstipaddress IN ("109.71.247.168","185.157.213.71") or ipaddress IN ("109.71.247.168","185.157.213.71") or publicipaddress IN ("109.71.247.168","185.157.213.71") or srcipaddress IN ("109.71.247.168","185.157.213.71") |
Hash : | sha256hash IN ("97b35a7673ae59585ad39d99e20d9028ac26bbccb50f2302516520f544fe637e","b8fd2b4601b09aacd760fbede937232349bf90c23b35564ae538ed13313c7bd0","4c4e15513337db5e0833133f587e0ed131d4ebb65bb9a3d6b62a868407aae070")
|
Reference:
https://www.proofpoint.com/us/blog/threat-insight/remote-monitoring-and-management-rmm-tooling-increasingly-attackers-first-choice