A sophisticated spam campaign targeting Brazilian organizations has emerged, exploiting legitimate Remote Monitoring and Management (RMM) tools to gain unauthorized access to corporate networks. The campaign primarily targets Brazil now, but security researchers warn that similar tactics could easily be adapted for other regions, representing an evolving threat that leverages legitimate tools to bypass standard security measures. When examining the network traffic generated by these RMM tools, investigators discovered communications disguised as regular business traffic, using HTTPS connections to legitimate domains such as “upload1.am.remote.management” that belong to the RMM provider’s infrastructure. Analysis of the attack patterns strongly suggests the operation is run by initial access brokers (IABs) – criminal entities specializing in network compromise who subsequently sell that access to other threat actors, including ransomware operators and advanced persistent threat groups. Once installed, these tools grant complete access to the victim machine, including remote desktop capabilities, command execution, screen monitoring, keystroke logging, and unrestricted file system access. Cisco Talos researchers identified that the threat actors are abusing commercial remote monitoring applications including PDQ Connect and N-able Remote Access (formerly associated with SolarWinds). Discovered in early 2025, this attack campaign specifically targets Portuguese-speaking users through deceptive emails that trick victims into installing commercial RMM software, effectively granting attackers complete control over compromised systems. These applications provide comprehensive remote control capabilities that, while intended for legitimate IT management, become powerful backdoors when deployed by malicious actors. The attackers leverage Brazil’s electronic invoice system (NF-e) as a social engineering lure, crafting convincing spam messages that appear to originate from financial institutions or telecommunications providers regarding overdue payments or electronic receipts. These malicious communications contain hyperlinks directing victims to Dropbox-hosted files containing installer binaries for legitimate RMM tools. The malicious aspects of this campaign are particularly effective because the deployed software is digitally signed by recognized vendors, helping it bypass standard security controls. Educational and government institutions have also appeared on the target list, indicating a methodical victim selection process designed to maximize potential financial gain or data access. Upon clicking these links, victims download what appears to be invoice-related software but actually installs legitimate RMM tools configured with attacker-controlled parameters. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Evidence indicates the attackers are exploiting the 15-day free trial periods of these RMM solutions, creating multiple trial accounts using disposable email addresses to maintain operational continuity. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. This complicates detection since the traffic appears legitimate and connects to authorized business services rather than known malicious infrastructure. Cisco Talos analysts noted that this approach provides attackers with a fully-featured backdoor without requiring custom malware development or costly infrastructure investment.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 08 May 2025 19:40:10 +0000