A new security alert has been issued over a computer program that is acting as a silent gateway for intruders. The tool, known by the technical name HEURRemoteAdmin.GoToResolve.gen, is being called a “Potentially Unwanted Application” (PUA) by experts because of the way it hides its activity from the person using the computer.
The findings come from the Lat61 Threat Intelligence Team at Point Wild, a data breach prevention firm. In a report shared with Hackread.com, the team explained how this software can turn a standard work tool into a major security risk.
Background activity you can’t see
Most of us expect to see a pop-up or a loading bar when new software arrives on our machines. But the Lat61 team noted that this tool can install itself “silently” and keep a “persistent presence,” by hiding deep in the system within a folder named C:Program Files (x86)GoTo Resolve Unattended.
While the program is a part of GoTo Resolve (formerly known as LogMeIn)- a legitimate service used by IT support- it can be hijacked. Investigation revealed a bundled file called “32000~” inside the installer containing the secret instructions for managing the app. Because it runs in the background without any user interaction, it creates what experts call a “potential attack surface.” This is basically like an unlocked window that a hacker could use to get inside and take control.
A link to ransomware tactics
The most worrying part of the discovery involves a file called the Restart Manager (RstrtMgr.dll). While this is a standard part of Windows, it has a dark history because this library has been used by notorious groups like Conti and Cactus ransomware, as well as the BiBi wiper, to “terminate interfering processes.”
By loading this component, the software could shut down your antivirus or other security programs, leaving the computer defenseless while a hacker prepares a full-scale attack.
“The RstrtMgr DLL (Restart Manager) is being loaded by an uncommon process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g., Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. It could also be used for anti-analysis purposes by shutting down specific processes.”
Lat61 Threat Intelligence Team – Point Wild
Don’t let the ‘official’ signature fool you
For an unsuspecting user, the software looks perfectly safe. It has a valid digital signature from GoTo Technologies USA, LLC, which usually acts as a “green light” for Windows to let it run.
However, as we know it, even official tools can be used for the wrong reasons, and researchers at Point Wild also state that “a valid digital signature does not eliminate the risk of misuse.” So, unless this software has been specifically authorised by your company’s security team, it should be treated as a high-level risk and removed to keep your data safe.
Dr. Zulfikar Ramzan, CTO of Point Wild and Head of the Lat61 Threat Intelligence Team, says this is a growing trend, and the software’s ability to hide its tracks signals a “dangerous pre-positioning” of a computer for more destructive strikes.
“GoToResolve is a proof point of a rising trend in malware: the exploitation of legitimate remote administration tools by threat actors. Its silent execution and ability to load the Windows Restart Manager signal a dangerous pre-positioning of the system for subsequent, more destructive attacks.”