Phishing Campaigns Deliver RMM Tools: Red Canary & Zscaler Research

Understanding Remote Monitoring and Management (RMM) Tools

• 💡 RMM tools are legitimate software enabling remote access and administration of devices, commonly used for IT operations like updates and software deployment.
• ⚠️ Adversaries exploit these tools to impersonate IT departments or vendors, gaining persistent access and enabling lateral movement within networks.

Exploitation Tactics: Phishing Lures and Trusted Resources

• 🎯 Attackers use four primary phishing lures: fake browser updates, meeting invitations, party invitations, and fake government forms.
• ☁️ Legitimate remote monitoring and management tools (e.g., ITarian, PDQ, SimpleHelp, Atera) are packaged into MSI files and hosted on trusted resources like GitHub, Cloudflare R2, and file-sharing solutions.
• 🎭 Threat actors masquerade file names (e.g., W9_2025.msi) to blend in, making detection harder.

Detection Challenges and Defense Strategies

• 🔍 A significant challenge is that RMM tools are legitimate and often authorized by security software, making it difficult to distinguish malicious use from normal operations.
• 🛡️ Organizations should aim to limit the number of RMM tools allowed in their environment through strict whitelisting.
• ⚠️ Key indicators of misuse include changed file names, downloads from non-standard directories, and suspicious network connections.
• 📚 While user education is helpful, it's not a complete solution; robust security controls and detection capabilities are crucial.

The Persistence and Evolution of RMM-Based Attacks

• 🚀 Adversaries deploy multiple RMM tools sequentially to ensure persistent access, even if one tool is detected and removed.
• 📈 The prevalence of RMM tools (over 160 tracked) and their hosting on widely trusted infrastructure makes them difficult to block without impacting legitimate internet usage.
• ❓ The sophistication of threat actors varies, but their ability to leverage these legitimate tools effectively makes detection and attribution challenging.
• 💰 The current theory suggests these campaigns may be sold as a service, contributing to their widespread adoption and effectiveness.