US Cert Alert - Alert (AA23-025A) Protecting Against Malicious Use of Remote Monitoring and Management Software

Threat Actors Exploiting RMM Software

Using portable executables of RMM software provides a way for actors to establish local user access without the need for administrative privilege and full software installation—effectively bypassing common software controls and risk management assumptions.

CISA Analysis of Malicious Activity

In October 2022, CISA conducted a retrospective analysis using trusted third-party reporting and the EINSTEIN intrusion detection system (IDS) to identify suspected malicious activity on two federal civilian executive branch (FCEB) networks:

• June 2022: A phishing email containing a phone number was sent to an FCEB employee’s government email address. The employee called the number, leading them to the malicious domain, myhelpcare[.]online.
• September 2022: Bi-directional traffic was detected between an FCEB network and myhelpcare[.]cc.

Connection to Financially Motivated Phishing Campaign

Further analysis linked this activity to a widespread phishing campaign, including malicious typosquatting domains reported by Silent Push, impersonating well-known brands like Amazon, Microsoft, Geek Squad, McAfee, Norton, and PayPal.

Malicious Cyber Activity

The malicious campaign has been active since at least June 2022, targeting FCEB staff via help desk-themed phishing emails sent to both personal and government email addresses.

• The emails contain either a link to a first-stage malicious domain or prompt recipients to call a number where cybercriminals convince them to visit the domain.
• The recipient visiting the first-stage domain triggers the download of an executable, which then connects to a second-stage malicious domain to download additional RMM software.

Use of AnyDesk and ScreenConnect for Evasion

CISA noted that threat actors did not install the RMM clients on the compromised host. Instead, they downloaded AnyDesk and ScreenConnect as self-contained, portable executables configured to connect to the attacker’s RMM server.

Note: Portable executables do not require installation or administrative privileges, allowing them to:

• Execute unapproved software even if security controls block standard installations.
• Attack other vulnerable machines within the local intranet.
• Establish long-term persistent access as a local user service.

Malicious Domains Used in the Campaign

CISA identified multiple first-stage malicious domain names that follow IT help/support-themed social engineering patterns, including:

• hservice[.]live
• gscare[.]live
• nhelpcare[.]info
• deskcareme[.]live
• nhelpcare[.]cc

According to Silent Push, some of these domains impersonate brands such as Norton, GeekSupport, Geek Squad, Amazon, Microsoft, McAfee, and PayPal.

Additionally, first-stage malicious domains periodically redirect to other sites for further downloads of RMM software.

Use of Remote Monitoring and Management (RMM) Tools

After downloading the RMM software, threat actors used it for financial scams, particularly refund scams.

How the Refund Scam Works:

1. The attacker connects to the victim’s system via RMM software.
2. The victim is tricked into logging into their bank account while the attacker remains connected.
3. The attacker modifies the bank account summary to show a false excess refund.
4. The victim is then convinced to "refund" the excess amount—which is sent directly to the attacker.

Although this campaign is financially motivated, the access could enable further malicious activity, including attacks by advanced persistent threat (APT) groups.

Security Risks of RMM Tools in Cyber Attacks

Network defenders should be aware that:

• Threat actors can abuse any legitimate RMM software, not just AnyDesk and ScreenConnect.
• Portable RMM executables bypass software management controls and administrative privilege requirements.
• Antivirus and antimalware defenses may not detect RMM software misuse.
• RMM tools can serve as persistent backdoors for long-term access.
• Attackers use RMM to avoid deploying custom malware, making detection harder.

Targeting Managed Service Providers (MSPs) and IT Help Desks

Threat actors frequently target MSPs and IT help desks, as these organizations regularly use RMM software for:

• Remote IT support
• Network management
• Endpoint monitoring

A compromise of an MSP can lead to mass exploitation, affecting numerous downstream clients with threats like ransomware and cyber espionage.

Mitigation Measures

The authoring organizations strongly recommend that network defenders implement the mitigation strategies outlined in the Mitigations section of this Cybersecurity Advisory (CSA) to protect against the malicious use of legitimate RMM software.