• Huntress uncovered a phishing campaign delivering legitimate RMM tools (Tiflux, UltraVNC, Splashtop, ScreenConnect) to gain persistence and exfiltrate business data
• Attackers lure victims with fake “Network Solutions” service agreement emails, then abuse a vulnerable driver (HwRwDrv.x64) for privilege escalation
• Evidence points to Brazilian infrastructure and targets, with defenses hinging on strict RMM auditing, asset inventories, and log reviews against LOLRMM databases

Cybercriminals are abusing a whole swathe of legitimate programs, including Tiflux, UltraVNC, Splashtop, and ScreenConnect to take control of business computers, establish persistence, and continuously exfiltrate sensitive data. This is according to security researchers Huntress, who detailed the new campaign in an in-depth research paper.

The attack starts with a carefully crafted phishing email, usually themed around an “updated Service Agreement from Network Solutions”. The email claims that Network Solutions has modified its pricing statements and services and instructs the target to visit a page where they can review and accept the new terms.

Victims that click the provided link are first asked to complete a CAPTCHA, likely to filter out bots and automated analysis. After that, they are asked to download a “secured document” which is just an installer for TIflux, a legitimate commercial (albeit fringe) Remote Monitoring and Management (RMM) tool.

Attacks since late February

Together with Tiflux, victims are also served other tools, including 7zip, an outdated version of the UltraVNC remote access tool, and a vulnerable driver called HwRwDrv.x64. The latter seems to be the key here, since it allows for potential privilege escalation.

The attackers then use Tiflux to install either Splashtop or ScreenConnect (or, in some cases, both), before proceeding with the main goal - transmitting live screenshots, running system utilities, establishing persistence, and exfiltrating data.

Huntress saw the attacks in the wild in late February this year. The report doesn’t mention any specific threat actor groups or names, but it does state that TIflux is a Brazilian tool, and that the threat actor's infrastructure leverages a server domain ending in a Brazilian country-code top-level domain.

In other words, it all points to this being a Brazilian attacker, going after Brazilian targets.

Businesses can defend against RMM abuse by establishing a comprehensive asset inventory of all installed applications, implementing strict application controls, regularly auditing authorized RMMs and cross-referencing them against databases like LOLRMM to find tools frequently abused by threat actors, and reviewing logs for RMM activity.

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.