Cybersecurity researchers have been using trial versions of commercial remote monitoring and management (RMM) software since January 2025 to warn of a new campaign targeting Portuguese-speaking users in Brazil.
“Spam messages are used using NF-E, a Brazilian electronic invoice system, as a lure to tempt users to click on hyperlinks and access malicious content hosted on Dropbox,” Cisco Talos researcher Guilherme Venere said in a report Thursday.
The attack chain starts with a specially created spam email, late invoices or unpaid payment warning that claims to occur from a financial institution or mobile phone carrier to click on the Bogus Dropbox link, which refers to the RMM tool’s binary installer.
Two notable RMM tools observed are N-Able RMM remote access and PDQ connection. Allows an attacker to be able to read and write files to and from the remote file system.
In some cases, threat actors use the remote capabilities of these agents to download and install additional RMM software, such as ScreenConnect, after the initial compromise.
Based on the general recipients observed, the campaign has been found to target primarily C-level executives and financial and human resources accounts in several industries, including some educational and government agencies.
The activity is also confidently evaluated as the work of an early access broker (IAB) who is abusing free trial periods associated with various RMM programs to gain unauthorized access. N-Able has since taken steps to disable the affected test accounts.
“In recent years, the abuse of enemy commercial RMM tools has been steadily increasing,” Venere said. “These tools are usually digitally signed by recognized entities and are fully functional backdoors, making them interesting for threat actors.”
“They also cost little or no software or infrastructure, because they are all provided by trial applications.”
This development comes amid the emergence of a variety of phishing campaigns designed to avoid modern defenses, spread a wide range of malware families or gather victim qualifications.
A campaign run by a South American cybercrime group called HIVE0148 has distributed Grandoreiro Banking Trojan to users of Mexican and Costa Rica users. Campaigns employing a legal file sharing service called GetShared bypass security protections and link users with links that host malware. Campaigns that use sales order-themed lures to deliver formbook malware use campaigns using attacks from the Expression Editor (CVE-2017-11882) and use targeted organizations. A theme that unfolds a Java-based remote access trojan named Rat Rat, which can run remote commands, record keystrokes, capture screenshots, and steal sensitive data. Using encoded JavaScript in SVG files, booby trap links in PDF attachments, dynamic phishing URLs that are rendered at runtime in OneDrive host files, and archived MHT payloads in OpenXML structures, we utilize archived MHT payloads in campaigns that demonstrate campaigns like Cloudflarrearing.
“It will become increasingly difficult for attackers to continuously evolve their tactics to bypass modern email and endpoint security solutions, detect and mitigate phishing attempts,” Intezer researcher Yuval Guri said last month. “And despite advances in cybersecurity tools, many phishing campaigns are still successful in reaching users’ inboxes.”
Source link
