A large phishing campaign is using phony seasonal party invites to trick users into installing remote management and monitoring (RMM) tools, according to researchers at Symantec.
“A highly active threat actor that specializes in using the ScreenConnect remote management and monitoring (RMM) software in its attacks has changed tactics and is now infecting its victims with multiple RMM tools, including LogMeIn Resolve and Naverisk,” Symantec says.
“In many cases, the attackers install additional RMM tools on infected computers long after the initial compromise occurs. The motivation behind this new tactic remains unclear, although it appears that the attackers are attempting to increase their dwell time on networks in order to maximise their return on successful attacks.”
The attackers recently began using party-themed lures, likely to target users during the holiday season.
“Its attacks adhere to a consistent pattern, beginning with phishing emails employing a variety of lure tactics,” the researchers write. “Recent emails have masqueraded as holiday party invites, such as ‘Party Invitation’ or ‘December Holiday Party.’ Other email lures have masqueraded as invoices, tax correspondence, payment overdue notices, Zoom meeting invites, or documents to be signed.”
Notably, the attackers rotate the remote access tools that are installed on infected systems, possibly to evade detection and maintain persistence.
“Most recently, since October, the attackers mainly seem to be using LogMeIn Resolve (formerly GoTo Resolve) and another RMM package, Naverisk, along with ScreenConnect. Interestingly, the RMM tools are usually not installed simultaneously. Instead, one is used to install another, and often a period of time can elapse between installations.”
It’s not clear what the goal of these attacks is, but Symantec believes the hackers may be initial access brokers who sell the access to other criminals, such as ransomware gangs.
KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 HRM+ platform to strengthen their security culture and reduce human risk.
Symantec has the story.
With KnowBe4 Defend you can:
