- Huntress discovered a phishing campaign providing legitimate RMM tools (Tiflux, UltraVNC, Splashtop, ScreenConnect) to gain persistence and exfiltrate corporate data.
- Attackers lure victims with fake “Network Solutions” service contract emails, then abuse a vulnerable driver (HwRwDrv.x64) for privilege escalation.
- Evidence points to Brazilian infrastructure and targets, with defenses relying on strict RMM auditing, asset inventories and log reviews against LOLRMM databases.
Cybercriminals abuse a range of legitimate programs, including Tiflux, UltraVNC, Splashtop and ScreenConnect, to take control of business computers, establish persistence and continuously exfiltrate sensitive data. That’s according to security researchers Huntress, who detailed the new campaign in an in-depth research paper.
The attack begins with a carefully crafted phishing email, usually with the theme of “Updated Network Solutions Service Agreement.” The email claims that Network Solutions has changed its pricing statements and services and asks the target to visit a page where they can review and accept the new terms.
Victims who click on the link provided are first asked to complete a CAPTCHA, which may filter out bots and automated analysis. After that, they are asked to download a “secure document” which is just an installer for TIflux, a legitimate (albeit marginal) commercial remote monitoring and management (RMM) tool.
Attacks since the end of February
In addition to Tiflux, victims also have other tools available to them, including 7zip, an outdated version of the UltraVNC remote access tool, and a vulnerable driver called HwRwDrv.x64. The latter seems to be the key here, as it allows for possible privilege escalation.
Attackers then use Tiflux to install Splashtop or ScreenConnect (or, in some cases, both), before continuing with their primary goal: transmitting live screenshots, running system utilities, establishing persistence, and exfiltrating data.
Huntress witnessed the attacks in the wild in late February this year. The report does not mention any specific groups or names of threat actors, but it does indicate that TIflux is a Brazilian tool and that the threat actor’s infrastructure operates a server domain ending in a Brazilian country code top-level domain.
In other words, everything indicates that it is a Brazilian attacker who attacks Brazilian targets.
Businesses can defend against RMM abuse by establishing a comprehensive asset inventory of all installed applications, implementing strict application controls, regularly auditing authorized RMMs and cross-checking them with databases like LOLRMM to find tools frequently abused by bad actors, and reviewing logs for RMM activity.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
