Distribution of Malware Abusing LogMeIn and PDQ Connect
Summary:
According to AhnLab Security intelligence center (ASEC), actors are abusing Remote Monitoring and Management (RMM) tools like LogMeIn Resolve and PDQ Connect to distribute malware. These attacks involve setting up websites that impersonate downloads for legitimate software such as Notepad++, 7-Zip, or WinRAR. Users who initiate a download unsuspecting install LogMeIn Resolve or PDQ Connect, providing actors full control over their systems. In attacks observed by ASEC, the actors have used their access to execute PowerShell commands and install PatoRAT, a backdoor with capabilities such as remote control, data theft, screen capture, and keylogging. PatoRAT, written in Delphi, communicates with a command-and-control server and sends detailed system information, including OS data, user details, memory usage, active window titles, and screen resolution. It also supports a wide range of malicious functions, including remote desktop control, credential theft, PowerShell execution, file manipulation, and HVNC.
Security Officer Comments:
Legitimate RMM tools continued to be weaponized to bypass traditional security controls. Given that RMM software like LogMeIn Resolve and PDQ Connect is designed for authorized remote management, patching, monitoring, and system administration, it typically operates with elevated privileges and is allowed to communicate externally without being flagged by firewalls or antivirus products. Knowing this, actors have increasingly exploited such tools to gain remote access to victim environments, install malware, and exfiltrate data of interest.
Suggested Corrections:
Users are advised to check the official website when downloading utilities and verify the version information and certificate of the downloaded file to ensure that they are installing the intended file. They should also ensure that their operating systems and security products up to date to protect themselves from potential attacks.
Link(s):
https://asec.ahnlab.com/en/90968/
According to AhnLab Security intelligence center (ASEC), actors are abusing Remote Monitoring and Management (RMM) tools like LogMeIn Resolve and PDQ Connect to distribute malware. These attacks involve setting up websites that impersonate downloads for legitimate software such as Notepad++, 7-Zip, or WinRAR. Users who initiate a download unsuspecting install LogMeIn Resolve or PDQ Connect, providing actors full control over their systems. In attacks observed by ASEC, the actors have used their access to execute PowerShell commands and install PatoRAT, a backdoor with capabilities such as remote control, data theft, screen capture, and keylogging. PatoRAT, written in Delphi, communicates with a command-and-control server and sends detailed system information, including OS data, user details, memory usage, active window titles, and screen resolution. It also supports a wide range of malicious functions, including remote desktop control, credential theft, PowerShell execution, file manipulation, and HVNC.
Security Officer Comments:
Legitimate RMM tools continued to be weaponized to bypass traditional security controls. Given that RMM software like LogMeIn Resolve and PDQ Connect is designed for authorized remote management, patching, monitoring, and system administration, it typically operates with elevated privileges and is allowed to communicate externally without being flagged by firewalls or antivirus products. Knowing this, actors have increasingly exploited such tools to gain remote access to victim environments, install malware, and exfiltrate data of interest.
Suggested Corrections:
Users are advised to check the official website when downloading utilities and verify the version information and certificate of the downloaded file to ensure that they are installing the intended file. They should also ensure that their operating systems and security products up to date to protect themselves from potential attacks.
Link(s):
https://asec.ahnlab.com/en/90968/