Phishing Campaigns Exploit RMM Tools for Stealthy System Access

Understanding Remote Monitoring and Management (RMM) Tools

• 💡 RMM tools are legitimate software enabling remote access and administration of devices, commonly used for IT operations like updates and software deployment.
• ⚠️ Adversaries exploit these tools to blend in or impersonate IT personnel, gaining persistent access and enabling lateral movement within a network.

Red Canary and Zscaler's "Hawkeye Hunting"

• 🎯 Zscaler's "Hawkeye Hunting" leverages broad telemetry, akin to net flow or DNS logs, to detect fast-moving campaigns and tie disparate pieces of information together.
• 🔍 This approach contrasts with an organization's limited visibility, allowing for the identification of threat actors leveraging legitimate resources like Cloudflare R2 or GitHub.
• 📊 At its peak, the campaign saw approximately 100 instances per week of legitimate RMM tools being repackaged and hosted on trusted platforms.

Four Common Phishing Lures

• 🎣 Adversaries employ four primary phishing lures: fake browser updates, particularly for Chrome, which download RMM tools upon user interaction.
• 📧 Other lures include fake meeting invitations, fake party invitations, and fake government forms (e.g., IRS, Social Security).
• ⚠️ While user education is helpful, it's insufficient; organizations need robust security controls and detection mechanisms beyond user awareness.

Challenges in Detecting RMM Tool Misuse

• 🧩 The legitimate nature of RMM tools makes detecting their malicious use difficult, as they are often authorized by antivirus and EDR solutions.
• 🔑 Key indicators of misuse include masqueraded file names (e.g., W9_2025.msi), downloading and running from non-standard directories, and making suspicious network connections.
• 🛠️ Organizations are advised to limit the number of RMM tools allowed in their environment through strict whitelisting to identify deviations.

Adversary Tactics and Future Implications

• 🚀 Attackers often deploy multiple RMM tools sequentially to ensure persistence, even if one tool is detected and removed.
• 📈 The prevalence of RMM tools (over 160 tracked by Zscaler) and their hosting on trusted cloud infrastructure makes them difficult to block without impacting legitimate business operations.
• ⚠️ Experts are concerned that threat actors will increasingly realize the effectiveness and ease of this approach, potentially leading to more widespread use for various objectives like ransomware or espionage.
• 🕵️ The use of legitimate tools complicates attribution efforts, making it harder to identify the end goal and actor behind an attack.