- Proofpoint Discovered Fake “TrustConnect” RMM Tool Created as Cover for RAT Malware
- The criminals created a website, paid for a certificate, and tricked companies into $300-a-month subscriptions.
- The tool gave attackers full remote control; linked to Redline data theft client
A group of cybercriminals went to great lengths to infect companies with a Remote Access Trojan (RAT), creating an entire company, coding a website, and paying thousands of dollars for a legitimate certificate.
In its report, Proofpoint said it was quite common for cybercriminals to use legitimate remote monitoring and management (RMM) tools in their technology stack. They would trick their victims into installing the tool of their choice and sharing login credentials, allowing them to deploy all types of stage two malware, including information stealers, remote access Trojans, or ransomware.
However, what researchers haven’t seen before is criminals creating a completely new product, with a website and all, that looks legitimate on the surface, but is actually completely malicious. However, that’s exactly what TrustConnect is.
Subscribe to a RAT
“At first, TrustConnect appeared to be another legitimate RMM tool that was being abused,” Proofpoint explained.
“Given the large number of existing remote management tools available for threat actors to choose from and their prevalence in the threat landscape, it might have made sense.”
The criminals created a .com website and requested a certificate, paying “thousands of dollars” and going through “additional levels of validation on behalf of the domain owner.” The certificate was revoked on February 6, but any file signed before that date remains valid, it was said.
Companies that don’t catch the trick will end up paying $300 a month to use RMM. Instead, what they’re getting is a RAT backdoor that gives attackers full mouse and keyboard controls, as well as the ability to record and stream whatever is on the victim’s screen. Additionally, the tool provides all the usual RMM functions, such as file transfer, command execution, or bypassing user account control.
While it’s impossible to know for sure, Proofpoint said it was “moderately certain” that TrustConnect was developed by a VIP customer of Redline, a popular data thief.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
