Listen to this Post
Introduction:
The lines between legitimate administrative tools and malicious remote access trojans (RATs) are blurring. Recently, Proofpoint and abuse.ch uncovered a sophisticated campaign utilizing fake Remote Monitoring and Management (RMM) tools like “TrustConnect” and “DocConnect” to infiltrate corporate environments. This campaign is particularly dangerous because it weaponizes the trust associated with RMM software, leveraging the very tools IT teams use daily to breach defenses.
Learning Objectives:
- Understand the anatomy of the “FakeRMM” malware campaign and its evolution from legitimate ScreenConnect software.
- Learn how to identify Indicators of Compromise (IOCs) associated with the SoftConnect, HardConnect, and AxisControl variants.
- Gain hands-on experience with network forensics and host-based detection techniques to uncover similar threats.
You Should Know:
- The Anatomy of the FakeRMM Campaign: From ScreenConnect to Malware
The threat actors behind this campaign are employing a classic “Trojan Horse” strategy. Initially, the attackers experimented with legitimate ScreenConnect (ConnectWise) instances, likely to understand the user interface and administrative workflows expected by corporate IT teams. Once they mastered the user experience, they developed custom, malicious installers branded as “TrustConnect,” “DocConnect,” “SoftConnect,” “HardConnect,” and “AxisControl.”
These applications masquerade as helpful RMM tools but are designed to establish persistent, hidden backdoors into victim networks. After initial infection via spear-phishing emails, the malware reaches out to command-and-control (C2) servers, primarily hosted on Contabo GmbH infrastructure in Germany. To analyze a suspicious installer, you can perform static analysis using Linux tools to check for anomalies before execution.
Linux Static Analysis Commands:
Check the file type file TrustConnect_Setup.exe Extract strings to look for malicious URLs or IPs (specifically Contabo IP ranges) strings TrustConnect_Setup.exe | grep -E 'http|https|tcp|contabo|194.163.[0-9]+.[0-9]+' Check the file's hashes for cross-referencing with ThreatFox sha256sum TrustConnect_Setup.exe
2. Network Forensics: Hunting for Contabo C2 Communication
The threat actors show a distinct preference for Contabo servers in Germany. Security teams should monitor outbound traffic for specific patterns. Since the malware mimics RMM tools, it may use standard HTTPS ports (443) but often utilizes custom User-Agent strings or connects to specific URI paths associated with the fake RMM panels.
Windows PowerShell Network Monitoring:
Use the following to detect established connections to suspicious external IPs associated with Contabo.
Check for active connections to specific geographic regions (Germany)
Get-NetTCPConnection -State Established | Where-Object { $<em>.RemoteAddress -like "194.163." -or $</em>.RemoteAddress -like "193.32." } | Format-Table
Monitor DNS cache for recently resolved domains related to the malware
Get-DnsClientCache | Where-Object { $_.Entry -match "softconnect|trustconnect|axiscontrol" }
3. Host-Based Indicators: Hunting the Fake RMM Services
Once installed, these fake RMM tools often register themselves as services to ensure persistence. They may also drop specific DLLs or executables in the `%AppData%` or `Program Files` directories. To identify these on a Windows endpoint, security analysts should look for processes with names resembling legitimate software but originating from unexpected parent processes (e.g., an MS Excel process spawning an RMM executable).
Windows Command Prompt (CMD) Hunting:
List all running services and look for anomalies wmic service get name, displayname, pathname, startmode | findstr /i "softconnect hardconnect axiscontrol docconnect" Check scheduled tasks for persistence (common for RMM tools) schtasks /query /fo LIST /v | findstr /i "connect" Verify digital signatures on suspicious executables sigcheck -a -u "C:\Program Files\TrustConnect\TrustConnect.exe"
4. Malware Detonation Analysis: Understanding the ScreenConnect Legacy
The malware samples suggest the threat actor played with legitimate ScreenConnect before pivoting. This means their payloads may contain leftover configuration data, debug paths, or dependencies that point back to their development environment. By detonating these samples in a sandbox, we can observe that they often attempt to mimic the ScreenConnect handshake process but fail or redirect to malicious IPs.
YARA Rule to Detect FakeRMM Variants:
Create a YARA rule to hunt for the specific strings found in the SoftConnect samples.
rule FakeRMM_SoftConnect {
meta:
description = "Detects SoftConnect fake RMM malware"
author = "Security Analyst"
reference = "abuse.ch"
strings:
$s1 = "SoftConnect" wide ascii
$s2 = "AxisControl" wide ascii
$s3 = "TrustConnect" wide ascii
$c2_string = "contabo" wide ascii
$mutex = "Global\RMM_Fake_Instance" // Hypothetical Mutex
condition:
(uint16(0) == 0x5A4D) and // MZ Header
( ($s1 or $s2 or $s3) and $c2_string )
}
5. Incident Response: Containment and Mitigation
If a fake RMM tool is discovered on a network, immediate containment is required. The attackers likely have live interactive access. Disabling the network interface of the infected host is the first step to prevent data exfiltration. Investigators should then capture memory and disk images for analysis.
Linux Live Response Commands (from IR jump bag):
Capture network connections to show active C2 before isolation sudo netstat -tunap | grep ESTABLISHED Dump process memory of suspicious processes sudo gcore $(pgrep -f "TrustConnect") Check iptables for any rules the malware may have added (rare, but possible) sudo iptables -L -n -v
6. Email Gateway Protections: Analyzing the Lure
The campaign reportedly involves hundreds of emails to corporate recipients. These emails likely contain links to download the fake RMM installers or attachments with the installers. Security teams should analyze email headers to identify the sending infrastructure and block the domains used for hosting (e.g., domains resolving to Contabo IPs).
Linux Mail Header Analysis:
Extract the IPs from the email headers to identify the sending MTA.
Save the email header to a file and grep for IPs
cat email_header.txt | grep -E -o "([0-9]{1,3}.){3}[0-9]{1,3}" | sort -u
Cross-reference these IPs with the IOCs provided on the abuse.ch ThreatFox database: https://lnkd.in/esesP8ya.
What Undercode Say:
- Trust is the Attack Vector: This campaign highlights a critical shift in cyberattacks. By weaponizing the RMM category, attackers bypass traditional security tools that often whitelist administrative software.
- The Contabo Connection: The consistent use of Contabo servers serves as a crucial pivot point for defenders. Monitoring traffic to this specific German provider’s IP ranges can be a high-fidelity indicator of this specific threat, though defenders must be wary of false positives from legitimate customers.
Prediction:
We will see a rise in “Bring Your Own Vulnerable Driver” (BYOVD) tactics combined with these fake RMM tools. Attackers will not just mimic the software; they will leverage legitimate, signed, but vulnerable kernel drivers from real RMM software to disable endpoint detection and response (EDR) agents before deploying their fake RMM payloads, making detection significantly harder.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Https: – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
