- Proofpoint uncovered fake RMM tool “TrustConnect” built as cover for RAT malware
- Criminals created website, paid for certificate, tricking firms into $300/month subscriptions
- Tool gave attackers full remote control; linked to Redline infostealer customer
A group of cybercriminals went to great lengths to infect businesses with a remote access trojan (RAT), setting up an entire company, vibe-coding a website, and paying thousands for a legitimate certificate.
In its report, Proofpoint said it was fairly common for cybercriminals to use legitimate remote monitoring and management (RMM) tools in their tech stack. They would trick their victims into installing their tool of choice and sharing login credentials which would enable them to deploy all sorts of stage-two malware, including infostealers, remote access trojans, or ransomware.
However, what researchers haven’t seen before is criminals building an entirely new product, website and all, that looks legitimate on the surface, but is actually completely malicious. Yet that is exactly what TrustConnect is.
Subscribing for a RAT
“Initially, TrustConnect appeared to be another legitimate RMM tool being abused,” Proofpoint explained.
“Given the sheer number of existing remote administration tools available for threat actors to choose from, and their prevalence in the threat landscape, it could have made sense.”
The crooks built a .com website, and applied for a certificate, paying “thousands of dollars” and going through “additional levels of validation on behalf of the domain holder”. The certificate was revoked on February 6, but any files signed before that date remain valid, it was said.
Companies that don’t spot the trick will actually end up paying $300 a month to use the RMM. What they’re getting instead is a RAT backdoor that grants the attackers full mouse and keyboard controls, as well as the ability to record and stream whatever is on the victim’s screen. Furthermore, the tool provides all the usual RMM features such as file transfer, command execution, or user account control bypass.
While it is impossible to know for certain, Proofpoint said it was “moderately confident” that TrustConnect was developed by a VIP customer of Redline, a popular infostealer.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
https://cdn.mos.cms.futurecdn.net/jt92kXfBXVXUWwnKBmDJLn-2560-80.jpg
Source link
