In a technical analysis by KnowBe4, researchers reported that a dual-wave campaign uses stolen email credentials to register with LogMeIn and deploy legitimate Remote Monitoring and Management software to gain persistent remote access to Windows hosts.
KEY FACTS
- Incident dual-wave phishing then RMM deployment
- Phishing vector fake Greenvelope invitation harvesting Outlook, Yahoo, and AOL credentials
- RMM used LogMeIn Resolve installed via a signed GreenVelopeCard.exe
- Persistence service settings changed and hidden scheduled tasks created
- Mitigation monitor for unauthorized RMM installs and abnormal usage
The attack unfolds in two waves. First, recipients receive bogus invitation emails impersonating Greenvelope that direct them to a phishing URL designed to harvest Microsoft Outlook, Yahoo, and AOL login credentials. Next, the stolen credentials are used to register with LogMeIn and obtain RMM access tokens.
A signed executable called “GreenVelopeCard.exe” contains a JSON configuration that acts as a conduit to silently install LogMeIn Resolve and connect the client to an attacker controlled URL without user knowledge.
Once the RMM tool is deployed, attackers alter the service to run with unrestricted Windows privileges and create hidden scheduled tasks that relaunch the program if it is terminated, establishing persistent remote access.
Organizations are advised to monitor for unauthorized RMM installations and unusual usage patterns. No timeline or scope for the campaign was provided.
WHY IT MATTERS
Trusted administrative tools can be turned into persistent backdoors when attackers gain legitimate access. Monitoring privileged tool registration, installation, and activity can help detect and limit this form of abuse.