Hackers using RMM Software

At least two federal agencies in the U.S. fell victim to a "widespread cyber campaign" that involved the use of legitimate remote monitoring and management (RMM) software to perpetuate a phishing scam.

"Specifically, cyber criminal actors sent phishing emails that led to the download of legitimate RMM software – ScreenConnect (now ConnectWise Control) and AnyDesk – which the actors used in a refund scam to steal money from victim bank accounts," U.S. cybersecurity authorities said.

The joint advisory comes from the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC).

The attacks, which took place in mid-June and mid-September 2022, have financial motivations, although threat actors could weaponize the unauthorized access for conducting a wide range of activities, including selling that access to other hacking crews.


Usage of remote software by criminal groups has long been a concern as it offers an effective pathway to establish local user access on a host without the need for elevating privileges or obtaining a foothold by other means.

In one instance, the threat actors sent a phishing email containing a phone number to an employee's government email address, prompting the individual to a malicious domain. The emails, CISA said, are part of help desk-themed social engineering attacks orchestrated by the threat actors since at least June 2022 targeting federal employees.

The subscription-related missives either embed a link to a "first-stage" rogue domain or engage in a tactic known as callback phishing to entice the recipients into calling the actor-controlled phone number to visit the same domain.

Irrespective of the approach used, the malicious domain triggers the download of a binary that then connects to a second-stage domain to retrieve the RMM software in the form of portable executables.

The end goal is to leverage the RMM software to initiate a refund scam. This is achieved by instructing the victims to login to their bank accounts, after which the actors modify the bank account summary to make it appear as though the individual was mistakenly refunded an excess amount of money.


In the final step, the scam operators urge the email recipients to refund the additional amount, effectively defrauding them of their funds.

CISA attributed the activity to a "large trojan operation" disclosed by cybersecurity firm Silent Push in October 2022. That said, similar telephone-oriented attack delivery methods have been adopted by other actors, including Luna Moth (aka Silent Ransom).

Patrick Beggs, chief information security officer at ConnectWise, said in an email statement that "software products intended for good use, including remote control tools, can be frequently used by bad actors for malicious purposes," and that "when alerted of this behavior, ConnectWise regularly issues take-down requests to remove malicious sites and domains."

"This campaign highlights the threat of malicious cyber activity associated with legitimate RMM software: after gaining access to the target network via phishing or other techniques, malicious cyber actors — from cybercriminals to nation-state sponsored APTs — are known to use legitimate RMM software as a backdoor for persistence and/or command and control (C2)," the agencies warned.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.