The master key of the attackers: when the remote management tools become persistent backdoors

A new report by security researchers highlights an increasingly worrying technique: instead of creating own malware, attackers are taking advantage of legitimate remote management tools to maintain persistent access to committed equipment. KnowBe4 researchers describe a two-stage campaign in which the initial goal is to steal credentials by false emails, and the second part is to convert those stolen credentials into permanent access using legitimate Remote Monitoring and Management (RMM) software as if it were a "master key" of the system. You can read the original analysis of KnowBe4 here: KnowBe4 - The Skeleton Key.

The first phase of the operation takes advantage of a convincing decoy: false invitations that appear to come from legitimate electronic card delivery services. These communications induce the recipient to press a phishing link that simulates a login page of large mail providers such as Outlook, Yahoo! or AOL. When the victim introduces his credentials, they remain in the hands of the malicious actors, who from there advance without the need to exploit complex technical vulnerabilities.

With an account committed to their power, attackers search that direction on remote management platforms to generate RMM access tokens. In the documented case, the chain ends with the start-up of an executable with an attractive and apparently legitimate name - the file identified as "GreenVelopeCard.exe" - which includes a JSON format configuration inside. That file is digitally signed and used to download and install the remote access tool (in this case, LogMeIn Resolve, also known as GoTo Resolve) and connect it to a server controlled by the attacker without the user warning it. The product concerned is available on its official website: GoTo Resolve.

Once the RMM tool is deployed, operators modify their parameters to work with high Windows privileges and create persistence mechanisms that prevent a manual closure from ending the intrusion: they change the service settings and generate hidden programmed tasks that relaunch the software as soon as necessary. In other words, they transform a utility designed for legitimate management and support into an effective and durable backdoor.

The background problem is that traditional defenses, based exclusively on "known malware" detection, can fail against this type of abuse: applications are legal, signed and installed with valid credentials. That does not mean that there are no signs that can and must be monitored. Atypical activities such as the creation of RMM access from new accounts or from unusual geographical locations, the issuance of tokens by unmanaged accounts, off-channel support software facilities and the presence of programmed tasks that are created without administrative justification should fire alerts in an IMS or corporate monitoring tools.

In practical terms, mitigation is to strengthen the protection of credentials and limit how an administrative account can be used. The activation and demand for multi-factor authentication is a simple and effective measure that drastically reduces the likelihood that stolen credentials will allow the registration of services on behalf of the victim; Microsoft and other suppliers offer guidelines on how to implement MFA in a robust way: MFA (Microsoft) Guide. In addition, it is recommended to maintain a strict inventory of authorized RMM tools, control signature certificates and apply least privileged policies for accounts capable of installing software or generating access tokens.

Awareness also counts. Training efforts for employees and administrators to recognize phishing e-mails and commitment signals help to cut the campaign in its initial phase. The consumer protection authorities and bodies have practical resources on how to identify and avoid phishing campaigns: Anti-phishing Tips (FTC). For security teams, it is prudent to review national guides on safe remote access, such as those published by the US Infrastructure and Cybersecurity Agency. United States.: Securing Remote Access (CISA).

Finally, this campaign is a clear reminder that confidence in legitimate tools can be manipulated. Organizations must assume that attackers will never stop looking for shortcuts to avoid controls and therefore it is appropriate to combine preventive measures - such as MFA, special account control and white application lists - with behaviour-based detection, continuous audit of facilities and response procedures that include the rapid revocation of tokens and the remediation of suspicious RMM services. The key is not to treat remote support tools as untouchable, but as resources that, like any other, need governance and monitoring.