Who's watching who? Experts reveal criminals using fake enterprise software to gain access to company systems

News
By published

Someone put in a lot of effort to hide a RAT in plain sight

Malware attack virus alert , malicious software infection , cyber security awareness training to protect business
(Image credit: Shutterstock)
  • Proofpoint uncovered fake RMM tool “TrustConnect” built as cover for RAT malware
  • Criminals created website, paid for certificate, tricking firms into $300/month subscriptions
  • Tool gave attackers full remote control; linked to Redline infostealer customer

A group of cybercriminals went to great lengths to infect businesses with a remote access trojan (RAT), setting up an entire company, vibe-coding a website, and paying thousands for a legitimate certificate.

In its report, Proofpoint said it was fairly common for cybercriminals to use legitimate remote monitoring and management (RMM) tools in their tech stack. They would trick their victims into installing their tool of choice and sharing login credentials which would enable them to deploy all sorts of stage-two malware, including infostealers, remote access trojans, or ransomware.

However, what researchers haven’t seen before is criminals building an entirely new product, website and all, that looks legitimate on the surface, but is actually completely malicious. Yet that is exactly what TrustConnect is.

Subscribing for a RAT

“Initially, TrustConnect appeared to be another legitimate RMM tool being abused,” Proofpoint explained.

“Given the sheer number of existing remote administration tools available for threat actors to choose from, and their prevalence in the threat landscape, it could have made sense.”

The crooks built a .com website, and applied for a certificate, paying “thousands of dollars” and going through “additional levels of validation on behalf of the domain holder”. The certificate was revoked on February 6, but any files signed before that date remain valid, it was said.

Companies that don’t spot the trick will actually end up paying $300 a month to use the RMM. What they’re getting instead is a RAT backdoor that grants the attackers full mouse and keyboard controls, as well as the ability to record and stream whatever is on the victim’s screen. Furthermore, the tool provides all the usual RMM features such as file transfer, command execution, or user account control bypass.

While it is impossible to know for certain, Proofpoint said it was “moderately confident” that TrustConnect was developed by a VIP customer of Redline, a popular infostealer.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.