Executive Summary
Remote Monitoring and Management (RMM) tools offer many Information Technology (IT) professionals a streamlined way to configure and manage endpoints. Unfortunately, threat actors abuse RMMs to gain access and persist within corporate networks – causing chaos while blending into legitimate business operations. Attackers steal sensitive information, establish long-term persistence, and sell remote access to the highest bidder. Legacy detection approaches fail against most modern RMM abuse, leaving defenders chasing ghosts in the shadows.
Trinity Cyber has prevented a surge of RMM attacks in the past year – mostly originating from phishing attempts and malicious websites promoted using Search Engine Optimization (SEO). This blog dives into some of the most interesting attacks, showing why context is paramount in stopping RMM attacks.
Common Themes from RMM Attacks
Throughout this research, Trinity Cyber revealed several common themes among RMM attacks. Both phishing and SEO poisoning delivered them to victims:
-
Secure File Delivery – tricking victims into believing there’s a sensitive file just one click away behind a secure portal.
-
Meeting Transcripts – preying upon employees who need the summary of a meeting they just attended in the form of a transcript.
-
Software Updates – fooling victims who just want to fix their software (rather than calling the IT department) and quickly get on with their day
-
Exclusive Invites – making victims feel included in an increasingly remote workforce by sending an invite to a social gathering or party.
-
eCards – sending random thank you’s and kudos via eCard (or gift card) that make underappreciated employees curious.
These are just a few of the wide range of RMM-laced phishing and SEO attacks. Attackers continue to innovate, especially with AI enabled systems and campaigns.
The Importance of Context
RMM software is frequently used to make endpoints more secure: triggering updates, granting trusted access, and enabling remote troubleshooting for users who aren’t savvy with tech.
On the flip side, RMMs also offer unique capabilities for attackers to weaponize a legitimate tool that shares the same set of capabilities as modern Remote Access Trojan (RAT) malware. Escalated privileges, screen capture and recording, remote file downloads, remote command line interface access, and data exfiltration. At its core, RMM software is designed to provide access to a remote machine the same way RATs do. The difference is that RMMs often fly under the radar.
Legacy security solutions apply rigid policies to problems that require contextual analysis. Some classify all RMMs as malicious and automatically remove it from endpoints, disrupting legitimate IT administration and reducing the organization’s ability to patch, monitor, and secure systems effectively. Others treat all RMM activity as benign, allowing attackers to abuse legitimate remote access tools for persistence, lateral movement, and data exfiltration without detection. In both cases, the lack of context increases organizational risk rather than reducing it.
Defense-in-depth requires context. As defenders, we cannot always judge the intent of a binary based on what it does. Because Trinity Cyber’s Full Content InspectionTM (FCI) inspects the content of network traffic and files, it catches the techniques and context behind malicious RMM attacks while letting legitimate RMMs proceed as intended, providing protection without business interruption or excess noise for the security team.
How to Stop RMM Attacks
Trinity Cyber’s platform stops RMM threats before they ever reach victims. What sets it apart is FCI — a preemptive cybersecurity approach that inspects and stops threats within live network traffic in real time. This approach removes malicious RMMs – from phishing lure to download – transparently while business continues. IT departments can keep using authorized RMMs to monitor, manage, and remotely administer systems, while attackers are thwarted at every step of their campaign.
