- Huntress discovered a phishing campaign delivering legitimate RMM tools (Tiflux, UltraVNC, Splashtop, ScreenConnect) to gain persistence and exfiltrate business data.
- Attackers lure victims with fake “Network Solutions” service agreement emails and then abuse a vulnerable driver (HwRwDrv.x64) to escalate privileges.
- The evidence points to Brazilian infrastructure and objectives, with defenses relying on strict RMM audits, asset inventories, and records reviews in LOLRMM databases.
Cybercriminals are abusing a wide variety of legitimate programs, including Tiflux, UltraVNC, Splashtop, and ScreenConnect to take control of enterprise computers, establish persistence, and continuously leak sensitive data. This is according to security researchers Huntress, who detailed the new campaign in an in-depth research article.
The attack begins with a carefully crafted phishing email, usually with the subject of an “Updated Network Solutions Service Agreement.” The email states that Network Solutions has modified its pricing and service statements and directs the recipient to visit a page where they can review and accept the new terms.
Victims who click on the provided link are first asked to complete a CAPTCHA, likely to filter out bots and automated scans. After that, they are asked to download a “secure document” that is simply an installer for TIflux, a legitimate (albeit marginal) commercial remote monitoring and management (RMM) tool.
Attacks since the end of February
Along with Tiflux, victims are also given other tools, including 7zip, an outdated version of the UltraVNC remote access tool, and a vulnerable driver called HwRwDrv.x64. The latter seems to be the key here, as it allows for possible privilege escalation.
Attackers then use Tiflux to install either Splashtop or ScreenConnect (or, in some cases, both), before continuing with the main goal: streaming live screenshots, running system utilities, establishing persistence, and exfiltrating data.
Huntress saw the attacks in the wild in late February this year. The report does not mention any specific threat actor groups or names, but does state that TIflux is a Brazilian tool and that the threat actor’s infrastructure leverages a server domain that ends in a top-level domain with a Brazilian country code.
In other words, everything indicates that this is a Brazilian attacker pursuing Brazilian objectives.
Enterprises can defend against RMM abuse by establishing a comprehensive asset inventory of all installed applications, implementing strict application controls, periodically auditing authorized RMMs and matching them against databases such as LOLRMM to find tools that are frequently abused by threat actors, and reviewing RMM activity logs.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
