How eCrime Adversaries Use Legitimate Remote Management Tools
Eric Loui
Countless IT departments and MSPs use numerous Remote Management and Monitoring (RMM) tools to securely administer and troubleshoot workstations. Threat actors frequently use RMM tools because these tools provide off-the-shelf RAT capabilities while often evading conventional security controls. Since 2022, adversaries have significantly increased their use of these tools, likely in response to improving endpoint security capabilities. This presentation discusses the RMM tools most popular among eCrime actors, highlighting several case studies, and concludes with specific recommendations for detecting RMM tool abuse.
In 2023, CrowdStrike Counter Adversary Operations observed nearly twice as many incidents involving legitimate RMM tools as compared with 2022. AnyDesk, ConnectWise ScreenConnect, TeamViewer, and NetSupport Manager appeared most frequently, but adversaries also leveraged numerous other less-common tools. eCrime actors accounted for the vast majority of these incidents.
AnyDesk remained the most common RMM tool used by threat actors in 2023. Numerous eCrime adversaries, particularly Big Game Hunting (BGH) actors, used the tool heavily in 2023, including SCATTERED SPIDER, MANGLED SPIDER, PUNK SPIDER, and BITWISE SPIDER affiliates. For example, in June 2023, a MANGLED SPIDER operator connected via RDP to a victim host. The adversary executed a batch script to install AnyDesk, then attempted to move laterally and accomplish actions on objectives.
As in 2022, ConnectWise ScreenConnect was the second-most popular RMM tool used in 2023. Besides BGH actors, several lower-volume targeted eCrime actors used ScreenConnect regularly in 2023, like CHEF SPIDER. CHEF SPIDER spoofs legitimate companies by typosquatting their domains, impersonating their executives, and soliciting a target’s services over their website to initiate a sales lead email. In the correspondence, CHEF SPIDER lures users to schedule a meeting over a scheduling page that downloads a ScreenConnect installer.
This presentation will briefly discuss abuse of other RMM tools, like TeamViewer and NetSupport Manager. TeamViewer remains popular among BGH actors like BITWISE SPIDER affiliates and BianLian ransomware operators. INDRIK SPIDER’s SocGholish (aka “Fake Browser Updates”) campaigns continue to deliver NetSupport Manager.