Cybersecurity researchers at AhnLab Security Intelligence Center (ASEC) have recently unveiled a sophisticated attack campaign that exploits legitimate Remote Monitoring and Management (RMM) tools to deploy backdoor malware on unsuspecting users’ systems. This alarming trend sees trusted administrative tools, such as LogMeIn Resolve (GoTo Resolve) and PDQ Connect, being transformed into instruments of data theft and remote system compromise.
The initial infection vector remains somewhat elusive; however, ASEC researchers have identified that attackers lure victims through convincingly crafted fake websites. These deceptive portals masquerade as download sites for popular legitimate software, imitating the official download pages of widely-used utilities like Notepad++, 7-Zip, WinRAR, VLC Media Player, and even ChatGPT. In reality, these sites deliver a modified version of LogMeIn Resolve, posing a significant threat to users.
The malicious installers are cleverly disguised under various filenames that appear legitimate, including “notepad++.exe,” “7-zip.exe,” “winrar.exe,” “chatgpt.exe,” “OpenAI.exe,” and even “windows12_installer.exe.” When users inadvertently download and execute these files, they unknowingly install both the RMM tool and additional malware capable of stealing sensitive information.
Weaponizing Legitimate Remote Access
LogMeIn Resolve is a legitimate RMM solution designed for IT professionals, facilitating remote support, patch management, and system monitoring. However, its robust capabilities make it an appealing target for cybercriminals aiming to circumvent traditional security defenses. Unlike conventional malware, RMM tools often evade detection by antivirus software and firewalls due to their functionality resembling that of legitimate administrative software.
The key to identifying these threat actors lies within LogMeIn Resolve’s configuration file, particularly the “CompanyId” field, which contains the unique identifier of the administrator who created the installation package. ASEC has pinpointed three distinct CompanyId values utilized in the Korean attack campaigns: 8347338797131280000, 1995653637248070000, and 4586548334491120000. Once installed, attackers can leverage LogMeIn’s infrastructure to execute PowerShell commands remotely and deploy additional malware payloads.
PDQ Connect Joins the Arsenal
In addition to LogMeIn Resolve, threat actors have also weaponized PDQ Connect, another legitimate RMM tool that provides software distribution, patch management, and remote control capabilities. Similar to the LogMeIn attacks, PDQ Connect has been exploited to execute PowerShell commands that ultimately lead to the installation of PatoRAT, a sophisticated backdoor malware.
The primary objective of these attacks is the installation of PatoRAT, a Delphi-developed backdoor with extensive data exfiltration and remote control capabilities. Researchers have noted Portuguese language strings within the malware’s code, hinting at possible Brazilian origins. PatoRAT’s configuration data is encrypted using 1-byte XOR encryption with key 0xAA and stored in the resource section. Upon execution, PatoRAT gathers comprehensive system information, including CPU details, computer name, operating system version, memory usage, active windows, screen resolutions, and user privileges, before transmitting this data to command-and-control servers.
The malware boasts a wide array of malicious functions, including mouse control, keylogging, screen capturing, browser credential theft, remote desktop access through HVNC technology, PowerShell command execution, and clipboard manipulation. It can also install localtonet for suspected port forwarding operations and supports a plugin architecture for extended functionality.
To safeguard against these threats, users are advised to download software exclusively from official vendor websites and to verify digital signatures and version information prior to installation. Organizations should ensure their operating systems and security solutions are up-to-date, monitor for unauthorized RMM tool installations, and implement network-level controls to detect suspicious remote access activities. Security teams should remain vigilant for the identified CompanyId values and PatoRAT indicators of compromise within their environments to facilitate early detection of potential infections.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
