Full Report
Cofense Intelligence's May 2025 report exposes how cybercriminals are abusing legitimate Remote Access Tools (RATs) like ConnectWise and Splashtop to deliver malware and steal data. Learn about this growing threat.
Analysis Summary
This summary is based on the provided context, which primarily highlights the abuse of legitimate Remote Access Tools (RATs) in 2025 attacks, specifically mentioning ConnectWise ScreenConnect.
# Tool/Technique: ConnectWise ScreenConnect (Abused RAT)
## Overview
ConnectWise ScreenConnect is identified as a legitimate Remote Access Tool (RAT) that is being heavily abused by cybercriminals in 2025 attacks to deliver secondary malware and exfiltrate sensitive data.
## Technical Details
- Type: Remote Access Tool (Abused Legitimate Software)
- Platform: Server deployments hosting the ScreenConnect instance (implied targets are Windows environments managed via the tool).
- Capabilities: Provides legitimate remote desktop and control functionalities, abused for persistent access, data theft, and malware delivery.
- First Seen: N/A (The context refers to its abuse level in 2025, not the initial release date).
## MITRE ATT&CK Mapping
Since the context describes the *abuse* of an administrative tool for malicious purposes, the primary tactics revolve around establishing presence and executing actions.
- **TA0003 - Persistence**
- T1546.001 - Event Triggered Execution: Startup or Logon Files (If threat actors establish persistence via the legitimate tool's configuration)
- **TA0005 - Defense Evasion**
- T1218 - Signed Binary Proxy Execution (If leveraging legitimate binaries for execution)
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol (Using existing legitimate communication channels for C2)
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel (Data theft via the existing RAT stream)
## Functionality
### Core Capabilities
- Providing remote access and control over endpoints.
- Used as a vehicle for deploying secondary payloads (other malware).
- Facilitating data theft from compromised environments.
### Advanced Features
- Leveraging a legitimate, trusted management tool (ScreenConnect) to bypass security controls focused on external, unknown malware. (This is the key feature of this abuse pattern).
## Indicators of Compromise
*Note: Specific IOCs for the abuse itself (like IP addresses or specific file hashes for the malicious payload) are not provided in the context. The IOCs focus on the tool's presence.*
- File Hashes: N/A (Not provided)
- File Names: N/A (Not provided)
- Registry Keys: N/A (Not provided)
- Network Indicators: N/A (The abuse relies on existing ScreenConnect traffic, which would need domain/IP matching against known bad ConnectWise Relay servers or hijacked instances).
- Behavioral Indicators: Detection of outbound connections associated with the ScreenConnect client or server pointing to unauthorized external hosts, rapid data transfer following connection initialization.
## Associated Threat Actors
The context indicates widespread abuse by "cybercriminals" in 2025, but does not name specific threat groups associated with this particular campaign.
## Detection Methods
- Signature-based detection: Difficult, as the tool itself is legitimate software. Requires signatures targeting known malicious configurations or secondary payloads delivered via ScreenConnect.
- Behavioral detection: Monitoring for anomalous administration sessions, excessive data transfer over the ScreenConnect port, or post-access execution of suspicious commands.
- YARA rules: N/A (Not provided)
## Mitigation Strategies
- Prevention measures: Strict network segmentation, limiting external access to ScreenConnect/management tools, and ensuring MFA is enforced universally.
- Hardening recommendations: Regularly patching the ConnectWise ScreenConnect server, implementing least privilege for access accounts, and monitoring configuration changes.
## Related Tools/Techniques
- **Splashtop:** Mentioned alongside ConnectWise as another legitimate RAT being abused in 2025 attacks.
- **General RAT Abuse:** Techniques leveraging legitimate software for initial access or post-exploitation.