In recent years, cybercriminals have increasingly exploited Remote Monitoring and Management (RMM) tools to gain unauthorized access to corporate systems. These tools, originally designed to assist IT departments in managing systems remotely, have become a favored entry point for malicious activity. According to a report by CrowdStrike, from June 2023 to June 2024, there was a staggering 70% year-over-year increase in the abuse of these tools by cybercriminals. ([softwarecurated.com](https://softwarecurated.com/testing-and-security/rise-in-cyber-attacks-using-legitimate-rmm-tools-demands-new-defense/?utm_source=openai))
The Dual-RMM Strategy
A particularly concerning development is the adoption of a dual-RMM strategy by attackers. By deploying multiple RMM tools simultaneously, such as Atera and Splashtop Streamer, threat actors ensure continued access even if one tool is discovered and removed by security teams. This redundancy represents a significant evolution in attack methodology, prioritizing persistent access over stealth.
Phishing as the Initial Vector
The attack typically begins with a carefully crafted phishing email sent from compromised Microsoft 365 accounts. These messages impersonate Microsoft OneDrive notifications, complete with authentic-looking Word document icons and privacy footers to establish legitimacy. The emails contain malicious links hosted on trusted platforms like Discord’s Content Delivery Network (cdn.discordapp.com), exploiting the platform’s reputation to bypass initial security filters.
Infection Mechanism and Payload Deployment
The infection mechanism demonstrates advanced evasion techniques through file extension manipulation. Victims receive links to what appears to be a `.docx` document but actually downloads a file named `Scan_Document_xlsx.docx.msi`. This double extension technique exploits user expectations while hiding the executable nature of the payload. Upon execution, the malicious MSI package initiates a multi-stage installation process. The Atera Agent installs through an attended process that requires user interaction, creating visible installation dialogs that appear legitimate. Simultaneously, two silent installations occur in the background: Splashtop Streamer and Microsoft .NET Runtime 8. These components download directly from their respective legitimate sources, generating network traffic that appears entirely benign to security monitoring systems.
The Appeal of RMM Tools to Cybercriminals
RMM tools offer several advantages to attackers. They save the attackers from having to create custom malware, can bypass administrative requirements and software control policies when downloaded as self-contained executables, and usually don’t get blocked by anti-malware or antivirus products. This makes them an attractive option for cybercriminals seeking to infiltrate systems without raising immediate suspicion. ([crn.com](https://www.crn.com/news/security/us-cybersecurity-agency-warns-about-attacks-using-rmm-tools?utm_source=openai))
Mitigation Strategies
To combat this emerging threat, organizations should focus on endpoint hardening and reducing their attack surface. Implementing application control measures, such as Windows Defender Application Control (WDAC) or AppLocker, can act as a primary line of defense against these attacks by preventing unauthorized applications from running. Regular monitoring of RMM activity for any suspicious behavior and ensuring that all software is kept up to date with the latest security patches are also crucial steps in mitigating the risk posed by the malicious use of RMM tools. ([csoonline.com](https://www.csoonline.com/article/3487743/attackers-increasingly-using-legitimate-remote-management-tools-to-hack-enterprises.html?utm_source=openai))
Conclusion
The exploitation of legitimate RMM tools by cybercriminals underscores the need for heightened vigilance and robust security measures. By understanding the tactics employed by attackers and implementing comprehensive defense strategies, organizations can better protect themselves against this evolving threat landscape.
