A

You're listening to the Cyberwire Network, powered by N2K.

B

From phishing to ransomware, cyber threats are constant. But with Nordlayer, your defense can be too. Nordlayer brings together secure access and advanced threat protection in a single, seamless platform. It helps your team spot suspicious activity before it becomes a problem by blocking, blocking malicious links and scanning downloads in real time, preventing malware from reaching your network. It's quick to deploy, easy to scale, and built on zero trust principles. So only the right people get access to the right resources. Get 28% off on a yearly plan@nordlayer.com cyberwire daily with code CYBERWIRE28. That's nordlayer.com cyberwire daily code CYBERWIRE28. That's valid through December 10th, 2025. Hello, everyone, and welcome to the Cyberwires Research Saturday. I'm Dave Buettner, and this is our weekly conversation with researchers and analysts, tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in our rapidly evolving cyberspace. Thanks for joining us.

A

So remote monitoring and management tools basically allow remote users to access and administer devices with ease, so they can be used by internal IT operations daily. So they're used for things like applying updates, managing assets, deploying software, things like that. The biggest issue here is that because they have all of these features, they're also leveraged by adversaries. And IT really allows adversaries to blend in or even impersonate an organization's IT or a vendor. And they really allow adversaries to start to have that persistent access and then start to move laterally.

B

That's Alex Berninger, senior manager of intelligence at Red Canary, and. And Mike Wiley, director of threat hunting at Zscaler. The research we're discussing today tracks four phishing lures and campaigns dropping RMM tools. Well, Mike, the team here identified the campaigns using a variety of tools. Can you walk us through what exactly you all discovered here?

A

Sure.

C

So, coming from the vendor side, we've got a unique perspective. We've coined this term Hawkeye hunting. And essentially what that means is that when you're defending your own organization, it's kind of like looking out of the captain's chair, the windows of a battleship. And you only have certain perspective, right? You can see about 2.9 nautical miles before there's the curvature of the earth. So you have this limited visibility. With our visibility, we can dip into the metadata. So think of somewhat similar to NetFlow or DNS logs, firewall logs of the Zero Trust Exchange. And so in that we're able to see fast moving campaigns, we're able to tie pieces together, whereas an organization defending their own battleship, they can only see what's right in front of them. And so what we were doing is we were looking for different abuse, I would say, or leveraging from a threat actor of these legitimate resources. And so we have these hunts that are ran 24. Seven for looking at things like abuse of S3 buckets or Cloudflare R2 buckets. And what our team discovered was that at the peak of the campaign, we were seeing about 100 instances of this per week where these legitimate remote desktop tools were being packaged up in an MSI and they were then being hosted at these trusted resources. So we often see GitHub, things like file sharing, storage solutions, R2 buckets. And they're putting these legitimate signed binaries which as Alex said, they are used by IT personnel for legitimate reasons and they're downloaded from a legitimate resource. So we're not seeing evil.com or some attacker owned infrastructure. They're using legitimate third party tools, legitimate websites, legitimate resources on the web for this campaign. And then what they're doing is that they're renaming these tools. So rather than being something like pdq, MSI or anydesk msi, they're naming them things that you wouldn't normally see from a IT department. So the one I saw most recently was W9.2025 MSI. So they're masquerading the file names and then using these trusted resources. And we saw that happening more and more. And as we saw that, we expanded our hunting methodology. And then we were able to see again at the peak of this, about 100 different events within the course of a week.

B

Well, let me switch back to you, Alex, here. I mean, the research mentions that there are four main fishing lures. Can you walk us through what you all observed?

A

So we observed four main phishing lures, and these are across fake browser updates. And so this is essentially where a user will get to a website or they'll be trying to navigate to a website and instead they'll reach the webpage will say, you cannot navigate to this website unless you update your Chrome. These were largely all Chrome browser updates. And if the user clicks, yes, I'll update my website with the link that's on the page. It will actually download one of these RMM tools. The other ones are fake meeting invitations. So this could be more like a work meeting. Fake party. E invites is another popular lure that's we've started to see an increasing frequency. And then the final one is fake government forms. So like IRS or Social Security forms. And so I think when it comes to all of these lawyers really can come down to user education on making sure that the webpage that you're visiting is what you would expect. And so with the fake government forms, making sure that you're getting to a.gov, if you're getting meeting invites or party invites, invites are those things that you expected. If not, can you contact where that came from, that person to see if it's legit? And for the fake browser updates, making sure that you understand how Chrome usually delivers their browser updates and that it's not going to usually surface on a web page like this can be really helpful. But of course whenever I mention user education, I always want to caveat that user education is not a panacea for security controls. It can be really helpful, however, relying on all users to not ever click a phishing link or navigate to a phishing site is unrealistic. And so making sure that you have controls beyond that and detection to be able to identify what happens next is really important for all organizations.

B

Well, help me understand what is especially tricky about detecting these attacks once these RMM tools are installed.

A

Sure. And I really think that just comes down to the fact that these RMM tools are used legitimately. That can make it really hard to detect when they're not being used in a legitimate way. I think that it's really important that all organizations try to limit the amount of RMM tools that are allowed in their environment to as small of a whitelist as possible. And that can start to that can help them identify those deviations or RMM tools that don't fit within that allow list that they have. And then if unsure if the RMM is being used maliciously, look at what's normal for these applications. Like Mike mentioned, oftentimes they were changing the file name. So that can be a key indicator. Downloading and running it from a non standard directory or making suspicious network connections can all be really good indicators for detection.

B

You know, the report mentions that the adversaries would sometimes deploy two RMM tools back to back. Help me understand that. What are they trying to get with that tactic?

C

I was going to say I think they're looking for persistence and having just one tool, there's risk that it will be removed or blocked at some point in time. And so by having redundancy built in, they can ensure that they have access to that even if one of the tools is cleaned up and from our perspective, looking at Zscaler, threat hunting customers telemetry, I think the lowest number of unique RMM tools that we have seen in an environment of a new customer has been seven unique tools and I think on the max was about 20. We catalog and categorize different RMM tools and the artifacts that they leave behind both on the network side and then the endpoint telemetry. And I think a lot of organizations have a hard time keeping up with that. Right. There's new RMM tools that are added to the list every day. Last I checked our team was tracking over 161-16-01 60 different RMM tools. So even Chrome has an extension that you can use for remote desktop. It's just very prevalent and it's difficult to keep track of that when we work with customers and identify that and show them the risks. There's a lot of big threat actors in the news right now that are using remote desktop tools. I think that's really helped with organizations having better hygiene around remote desktop tools. Before that I would talk to customers sometimes and tell them about the risks and that they have over 10 different remote desktop tools in their environment and they would say it's just not a priority. They want us to focus on hunting for apts. But when I show them use cases and this blog now that we publish, showing that this is a real risk and it's not just shadow it or an unwanted program, that there are real risks associated with this backdoors. And what we have seen in a couple of cases is that there's info stealers that happen after the RMM tools are installed and then in some cases it looks like pre ransomware deployment. So it's not just a unwanted program, it is a gateway for all kinds of malicious and risky activity on the endpoints. But I think the hard part is just as Alex said, it's a legitimate tool and it's authorized by a lot of antivirus programs and EDR programs, other security tools that you might have in your your toolkit. And so by default these things are allowed and it's very hard to keep track of them and just allow the good and not allow the ones that maybe you don't want in your environment.

A

Yeah, and I think to add on to that, when the adversaries are downloading multiple then one of those might be detected and the organization might remove it but they'll still have that persistent access via a different RMM tool. So if they diversify how many they're using, it's just going to increase the likelihood that they they pick one that the organization is using legitimately.

B

We'll be right back. What's your 2am Security worry? Is it do I have the right controls in place? Maybe are my vendors secure? Or the one that really keeps you up and night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work so you can stop sweating over spreadsheets, chasing audit evidence and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data and simplifies your security at scale. And it fits right into your workflows. Using AI to streamline evidence collection, flag risks, and keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently and finally get back to sleep. Get started@vanta.com cyber that's V A N T A dot com cyber. At Thales they know cybersecurity can be tough and you can't protect everything. But with Thales you can secure what matters most. With Thales industry leading platforms, you can protect critical applications, data and identities anywhere and at scale with the highest roi. That's why the most trusted brands and largest banks, retailers and healthcare companies in the world rely on Thales to protect what matters most applications, data and identity. That's Thales T H A L E S learn more@talasgroup.com cyber. Well, let's talk about defenders here. I mean, what are some of the key warning signs, the things that they should be looking for that would indicate that an RMM tool was being misused rather than being used legitimately?

A

So I think the first thing from the endpoint perspective, and then I'll let Mike jump in as well from the endpoint perspective, making sure that you deploy endpoint visibility and detection and response sensors across every system that can host it is really important. If you don't have monitoring and EDR on a system, then it allows adversaries to just operate at will oftentimes. And then when it comes to detecting the RMM tools, really identifying what's normal for these applications is really important. So again, looking for that change in the file name and downloading it and running it from a different directory than what's typical for normal usage for that RMM tool or what you're using in your organization or making any kind of suspicious network connections are all going to be really key indicators for identifying those RMM tools.

C

My perspective is that it's best to limit what's allowed in the environment from the beginning. It becomes difficult once you let this, I'm going to call it a risk or a threat into your environment. Because knowing the intention and then tracking all the different use cases and what happens after is a much bigger job than just stopping it from the beginning. Not allowing these tools in the environment, downloads of them, not letting them the processes to even start running, that's going to be the best defense. The analogy I'll give is it's a lot easier to keep people out of your house who you may or may not want coming into your house, rather than letting anyone in the front door and then trying to figure out what their intentions are or what they're going to do in your house. Right. Having that perimeter and not letting it in the first place is going to be the best, best thing for organizations.

B

So where do you suppose we're headed with this? To what degree do you see this type of approach being effective and being used in the future?

C

I think that my biggest concern is that the threat actors across the globe, whether they're nation state or E crime or hacktivists, is that they will start to realize how effective and how easy this is and then it will lead to whatever action objective they have. Right. So each threat group has their own typical action objectives, with some exceptions. And when they see that these tools are generally allowed to run in most environments, these websites are difficult to block. Think about if you tried to block aws, if you tried to block gcp, Azure, Cloudflare, you'd be blocking a majority of the Internet, which is not reasonable for most businesses. So it's not as easy as just blocking an atomic indicator like a domain or an IP address that might be malicious. These are big tech giants and most of the Internet's run on these things. So I think that once this becomes more well known in the different threat groups, then it may lead to anything and everything, whatever their action objectives are. Right. So more ransomware, more espionage, more whatever the DPRK is going to do next after they're done with IT workers, all these different action objectives will happen because it is a very easy beachhead for any type of attacker.

B

Alex, any final thoughts?

A

Yeah, I would agree with that. I don't see this decreasing in the near term because right now it's really working. And adversaries are going to do what works. And what these RMM tools give adversaries is essentially that back door with that veneer of legitimacy. So they're not having to create a bespoke backdoor that could then be identified more easily. You know, these are being used across, as Mike said, across the spectrum from espionage to cybercrime, because. Because they work and because they give that ability for adversaries to blend in and hide an environment. And the other thing that I would add is that from the threat intel perspective, these can really complicate attribution because you're not being able to attribute on bespoke malware or specific behaviors of an adversary. And so these can complicate attribution. So even if they are identified, it might be a little bit harder to know exactly what that end goal was going to be and what that action on objective was going to be.

B

Alex, how do you rate the sophistication of these threat actors? Where do they stand compared to other folks we deal with?

A

Yeah, that's an interesting question, and I think it really depends on how you think of sophistication. If you think of sophistication as this really complicated malware that can do all of these different things, then maybe these threat actors aren't sophisticated in that way because they're not writing their own malware, but they are sophisticated in the way that they're able to achieve those actions, get that backdoor access sometimes get that backdoor access in persistent ways with multiple different tools and be able to move towards their actions on objectives. And then from there, it probably depends on their sophistication, on how far can they get from there, depending on an organization's ability to detect them and then their ability to continue to blend in. So it's really hard to answer, I think, the sophistication question with this one.

B

Mike, you concur?

C

Yeah, I think if I had to put a bet on it, I would say it's lower sophistication. But as Alex said, we're still investigating this. It's still an ongoing campaign. It's fairly new in the matter of weeks that we've seen this big uptick. So there's still a lot of unknowns around it. The closest thing that we can likely attribute to at least a couple of the cases has been ransomware as a service. So the current theory is that this is someone that's come up with this, call it the kill chain or the attack life cycle, and which tools to use, and they're selling it somewhere, which is probably why it's so prevalent. But I think that nowadays sophistication is less important for organizations and really the success of attck, and it's more about how hard is it to detect or block. And in this case it's incredibly difficult to block. I think the easiest or the lowest hanging fruit of this would be blocking the process creation of the 160 different RMM tools. But because these MSIs could be staged on any location in the Internet and most of them being trusted resources and needed for business, it's not really reasonable unless you do things like block all MSIS exes and PowerShell files from being downloaded across the entire Internet. And in some cases I talked to a customer that was in charge of the infosec for a law enforcement agency and they had originally almost ignored our find our threat hunting finding on this because they said they were using this I won't name which one, but remote desktop tool in their environment which we found. And so they thought it was benign or a false positive. But then they ended up giving us a call and we talked through it and showed them that yes, you might be using this remote desktop tool, but does your IT department call it W9 2025 MSI? And do you let your IT folks download it from R2 buckets or do you have it on a share internally or do you download it from the vendor's website? And that's when they realized, okay, this is an incident and it's not just the tool that's authorized in our environment. So even though if I had to guess and I don't think we have a lot of data or attribution to really say for sure, so it's very low confidence, I would lean towards less sophistication, but I don't think that that's as important. I think the difficulty in preventing this is the the real thing here and most organizations can't prevent it, which then means they need to be doing threat hunting and a lot of organizations don't have the resources to do that 24, 7 and look for all these nuances relating to it.

B

Our thanks to Alex Berninger from Red Canary and Mike Wiley from Zscaler for joining us. The research is four phishing lures and campaigns dropping RMM tools. We'll have a link in the show notes and that's Research Saturday, brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the Show Notes or send an email to cyberwire2k.com. This episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher. And I'm Dave Bittner. Thanks for listening. We'll see you back here next time.

C

And Doug, here we have the Limu Emu in its natural habitat, helping people customize their car insurance and save hundreds with Liberty Mutual. Fascinating. It's accompanied by his natural ally, Doug. Limu. Is that guy with the binoculars watching us? Cut the camera. They see us.

B

Only pay for what you need@libertymutual.com. savings Fairy. Underwritten by Liberty Mutual Insurance Company and affiliates. Excludes Massachusetts.