LogMeIn Remote Access Abused in Targeted System Compromise

A sophisticated cyberattack campaign has been uncovered, leveraging LogMeIn Resolve remote access software to gain unauthorized control over user systems.

Security researchers report that the attack begins with a convincingly crafted invoice-themed spam email, designed to trick recipients into opening a malicious PDF attachment.

This campaign highlights the ongoing threat of social engineering tactics and the abuse of legitimate IT tools for malicious purposes.

Attack Chain: From Invoice Email to System Compromise

The initial stage of the campaign involves a spam email that claims to contain an overdue invoice. The email urges the recipient to open an attached PDF, which mimics a standard business document.

Upon opening, the document displays a message prompting the user to update Adobe Acrobat Reader to view the invoice. However, instead of a legitimate update, this prompt initiates the silent installation of LogMeIn Resolve, a legitimate remote access tool.

Once installed, LogMeIn Resolve grants attackers full remote access to the compromised system.

This allows them to execute commands, exfiltrate data, and potentially deploy additional malware, all while operating under the guise of legitimate IT support activity.

Indicators of Compromise (IOCs) Identified

Researchers have identified several key indicators associated with this campaign:

• Malicious Download URL:
  hxxps[://]overdue-invoices-distributed[.]netlify[.]app/success[.]html
• Malicious Executables:
  • INV-inv002811.exe
    • Hashes:
      • dbfd65386e28097f2dbe21eadbbdba37
      • 8d50c26c4a9d4325d5febfb6da647fc382dee224db03cee994e6021f9b50941d
  • Attached_Overdue_Statement.exe
    • Hashes:
      • 366205d586e4ebccca7d18307fb7e051
      • e3e183ddee889b999564fc7d4c7c29ea7825faee03b775f2fa7c72263605b1c8
• LogMeIn Resolve Configuration Data:
  • CompanyID: 7051889796388834818, 2462565644419079679
  • FleetTemplateName: syn-prd-ava-unattended

Defensive Measures and Recommendations

• Be wary of unsolicited emails, especially those urging immediate action on invoices or account issues.
• Never install software or updates from prompts in email attachments or from unfamiliar websites. Always update applications directly from official sources.
• Monitor for the presence of unauthorized remote access tools and scrutinize unexpected remote sessions.

This campaign underscores the importance of vigilance and skepticism when handling email attachments and software installation prompts.

Even trusted remote access solutions like LogMeIn Resolve can be abused by attackers if deployed without user knowledge.

Organizations and individuals alike should remain alert and ensure robust endpoint protection to defend against such threats.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates