CYBERSECURITY researchers have disclosed a dual-vector phishing campaign that uses stolen credentials to deploy legitimate Remote Monitoring and Management (RMM) software for persistent remote access, instead of relying on customised malware.
The attackers first impersonate invitations via fake emails from Greenvelope to harvest victims’ login details for Microsoft Outlook, Yahoo!, and AOL[.]com accounts, then use the pilfered credentials to register with LogMeIn and generate RMM access tokens for follow-on access, according to KnowBe4 Threat Labs researchers Jeewan Singh Jalal, Prabhakaran Ravichandhiran, and Anand Bodke.
The subsequent stage involves an executable named “GreenVelopeCard[.]exe” signed with a valid certificate to silently install LogMeIn Resolve (formerly GoTo Resolve) and connect to an attacker-controlled URL, enabling persistent remote access to infected hosts. Once deployed, the threat actors alter service settings to grant unrestricted Windows access and establish hidden scheduled tasks to relaunch the RMM tool even if manually terminated. The guidance from the report recommends organisations monitor for unauthorised RMM installations and unusual usage patterns to counter the threat.