Criminals Sell RAT Malware as Legitimate RMM Tool
▼ Summary
– A fake RMM tool called TrustConnect is being sold as a service to cybercriminals, using a fraudulent website to appear legitimate and act as a command-and-control portal.
– The threat actor used a purchased Extended Validation certificate to sign the malware, helping it evade detection, and sold access for $300 per month.
– Cybercriminals distributed the malware via email campaigns using lures like tax documents or fake installers mimicking software such as Zoom or Adobe Reader.
– Proofpoint disrupted the operation by revoking its certificate and taking its C2 server offline, but the threat actor quickly rebranded to a new platform called DocConnect.
– Researchers assess the threat actor was likely a prominent user of Redline stealer and that the malware’s websites and agents were probably coded with AI assistance.
A sophisticated cybercrime operation is selling remote access trojan (RAT) malware disguised as a professional remote monitoring and management tool. Security researchers uncovered this service, named TrustConnect, which is marketed through a convincing, AI-generated website to lend an air of legitimacy. The fake RMM tool is designed to bypass security measures by using a fraudulently obtained Extended Validation certificate to sign its malicious code. This tactic helps the malware evade traditional signature-based detection systems, making it a significant threat.
The operation’s website served a dual purpose: it acted as a convincing front for a fake software company and functioned as the command-and-control portal for the malware itself. Cybercriminals interested in using the service are directed to sign up for a free trial, make payments in cryptocurrency, and then manage their attacks through the same interface. For a monthly fee of $300, buyers gain access to the tool and its control panel, which they then distribute through widespread email campaigns.
These distribution efforts use common and effective lures, including fake tax documents, DocuSign notifications, and meeting invitations. The malware is packaged within installers that mimic legitimate software, borrowing the icons and names of trusted applications like Zoom, Microsoft Teams, and Adobe Reader. It also appears as generic document files with labels such as “Proposal” or uses a straightforward “TrustConnect” installer meant to look like a bona fide IT management utility.
Once installed, the malware frequently leads to the deployment of other legitimate remote access tools, such as ScreenConnect, often using older, compromised versions with expired certificates. Researchers observed rapid, hands-on-keyboard activity by threat actors shortly after infection, indicating the tool is actively used by multiple criminal groups for immediate follow-on attacks. In one instance, an abused account for Level RMM was leveraged, prompting the vendor to disable it after being notified.
In response to the threat, security firms collaborated to disrupt the operation. They worked with certificate authorities to revoke the malware’s EV code-signing certificate, removing its ability to appear trusted. Simultaneously, they took action against the primary command-and-control server, temporarily halting active campaigns. However, these measures had limitations; files signed before the certificate revocation remained valid and could still be distributed.
The disruption proved to be only a temporary setback for the threat actors. Evidence suggests they quickly adapted by migrating to parallel infrastructure. Researchers note the operators have already begun testing a rebranded and updated version of the malware platform, now called DocConnect. Analysis of the coding style and operational patterns indicates the websites and malware agents were likely developed with the assistance of AI tools. Furthermore, investigators assess with moderate confidence that the entity behind TrustConnect has prior connections to the prominent Redline stealer malware ecosystem.
(Source: HelpNet Security)
