Cybercriminals are increasingly exploiting Remote Monitoring and Management (RMM) software to gain unauthorized access to corporate systems, with a sophisticated new attack campaign demonstrating how legitimate IT tools can become powerful weapons in the wrong hands.<\/p>\n
This emerging threat leverages the inherent trust placed in RMM solutions<\/a>, transforming essential administrative software into conduits for data theft and potential ransomware deployment.<\/p>\n The latest attack campaign employs a dual-RMM strategy that significantly enhances attacker persistence and control.<\/p>\n By deploying both Atera and Splashtop Streamer simultaneously, threat actors ensure continued access even if one RMM tool is discovered and removed by security teams.<\/p>\n This redundancy represents a concerning evolution in attack methodology, where cybercriminals prioritize maintaining long-term access over stealth.<\/p>\n The attack begins with a carefully crafted phishing email<\/a> sent from compromised Microsoft 365 accounts to undisclosed recipient lists.<\/p>\n These messages impersonate Microsoft OneDrive notifications, complete with authentic-looking Word document icons and privacy footers to establish legitimacy.<\/p>\n The emails contain malicious links hosted on Discord\u2019s Content Delivery Network (cdn.discordapp.com), exploiting the platform\u2019s reputation as a trusted service to bypass initial security filters.<\/p>\n Sublime Security researchers identified<\/a> this campaign through their AI-powered detection engine, which flagged multiple suspicious indicators including file extension manipulation and OneDrive impersonation tactics.<\/p>\n The researchers noted that the attack represents a significant escalation in RMM abuse, particularly due to its multi-tool approach and sophisticated social engineering components.<\/p>\n The attack\u2019s infection mechanism demonstrates advanced evasion techniques through file extension manipulation.<\/p>\n Victims receive links to what appears to be a This double extension technique exploits user expectations while hiding the executable nature of the payload.<\/p>\n Upon execution, the malicious MSI package<\/a> initiates a multi-stage installation process. The Atera Agent installs through an attended process that requires user interaction, creating visible installation dialogs that appear legitimate.<\/p>\n Simultaneously, two silent installations occur in the background: Splashtop Streamer and Microsoft .NET Runtime 8.<\/p>\n These components download directly from their respective legitimate sources, generating network traffic that appears entirely benign to security monitoring systems.<\/p>\n The attack\u2019s sophistication lies in its use of legitimate infrastructure for payload delivery. By downloading RMM components from official vendor websites rather than suspicious domains, the malware evades signature-based detection systems and network monitoring tools that typically flag downloads from known malicious sources.<\/p>\n Equip your SOC with full access to the latest threat data from\u00a0ANY.RUN TI Lookup<\/strong>\u00a0that can Improve incident response ->\u00a0Get 14-day\u00a0Free\u00a0Trial<\/a><\/strong><\/p>\n The post Threat Actors Weaponizing RMM Tools to Take Control of The Machine and Steal Data<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhBXk6zZ0Bkhb1mt1Eqm0KJFYnc2ZDvuFGOQ8k0jBkxxH0S_gz8R0GG8Sp1H0-ijT01PxgNVx4hhVp9psJg0-srrT1nUBq6-ABIlPNPOEaU981FdYyaivWPoso7ZeAO_8ukbzEGwp2xqkE6w31GRvnQAj1dmsO9XGxs0WdFh6_uvLOr5BvcdNhL1AesLtA\/s16000\/Malicious%2520email%2520with%2520malicious%2520attachments%2520%28Source%2520-%2520Sublime%2520Security%29.webp?ssl=1\")
Infection Mechanism and Payload Deployment<\/strong><\/h2>\n
.docx<\/code> document but actually downloads a file named Scan_Document_xlsx.docx.msi<\/code>.<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh98KqDbos6tXQKFW7XvpWQEZ01MliZU9jrLWAsCMijBeAeiKlmzKb_J5K1SU_VWv0NKF3Nlidx3i_zC7v7TyepGzjqzkg_kAQjEJ6f55oWtxMRi-hqKoUNxo7AxG75vusjoelNeTJ_Fg_Wn3Wl5TT3HXlX1RPOjhYrZeRz2qeiEUELmi58tPgd1GfSyCA\/s16000\/Atera%2520%28Source%2520-%2520Sublime%2520Security%29.webp?ssl=1\")