- Proofpoint discovered fake RMM tool “TrustConnect” designed to cover RAT malware
- The criminals created a website, paid for a certificate, and deceived businesses into offering $300/month subscriptions.
- The tool gave attackers full remote control; related to Redline infostealer client
A group of cybercriminals went to great lengths to infect businesses with a remote access Trojan (RAT), creating an entire company, coding a website, and paying thousands of dollars for a legitimate certificate.
In its report, Proofpoint said it is quite common for cybercriminals to use legitimate remote monitoring and management (RMM) tools in their technology stack. They would trick their victims into installing their tool of choice and sharing their login credentials, allowing them to deploy all kinds of second-stage malware, including information stealers, remote access Trojans, or ransomware.
However, what researchers have never seen before are criminals creating an entirely new product, website and everything else that appears legitimate on the surface, but is actually completely malicious. Yet that’s exactly what TrustConnect is.
Subscribe to a RAT
“Initially, TrustConnect appeared to be another legitimate RMM tool being abused,” Proofpoint explained.
“Given the large number of remote administration tools available for threat actors to choose from and their prevalence in the threat landscape, this might have made sense. »
The scammers built a .com website and requested a certificate, paying “thousands of dollars” and going through “additional levels of validation on behalf of the domain holder.” The certificate was revoked on February 6, but all files signed before this date remain valid, it was clarified.
Businesses that don’t spot the trick will end up paying $300 a month to use RMM. What they get instead is a RAT backdoor that grants attackers complete mouse and keyboard control, as well as the ability to record and stream anything on the victim’s screen. Additionally, the tool provides all the usual RMM features such as transferring files, executing commands or bypassing User Account Control.
While it’s impossible to know for sure, Proofpoint said it was “moderately confident” that TrustConnect was developed by a VIP customer of Redline, a popular information stealer.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
