Full Report
$300 a month buys you a backdoor that looks like legit software Researchers at Proofpoint late last month uncovered what they describe as a "weird twist" on the growing trend of criminals abusing remote monitoring and management software (RMM) as their preferred attack tools.…
Analysis Summary
# Tool/Technique: TrustConnect (RAT)
## Overview
TrustConnect is a sophisticated Remote Access Trojan (RAT) marketed as a legitimate Remote Monitoring and Management (RMM) tool. Operating under a Malware-as-a-Service (MaaS) or "RATaaS" model, the developers created an elaborate front including a fake company website, AI-generated documentation, and legitimate Extended Validation (EV) code-signing certificates to bypass security software and deceive analysts.
## Technical Details
- **Type:** Remote Access Trojan (RAT) / Malware-as-a-Service (MaaS)
- **Platform:** Windows
- **Capabilities:** Screen streaming, full remote control (HID), file transfer, command execution, and UAC bypass.
- **First Seen:** January 2024 (Domain created Jan 12, campaigns observed late Jan).
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566.002 - Phishing: Malicious Link]
- **[TA0002 - Execution]**
- [T1204.002 - User Execution: Malicious File]
- **[TA0005 - Defense Evasion]**
- [T1553.002 - Subvert Trust Controls: Code Signing]
- [T1036 - Masquerading]
- **[TA0009 - Collection]**
- [T1113 - Screen Capture]
- **[TA0011 - Command and Control]**
- [T1219 - Remote Access Software]
## Functionality
### Core Capabilities
- **Remote Desktop Control:** Full mouse and keyboard interaction.
- **Screen Capture:** Real-time streaming and recording of the victim's desktop.
- **File Management:** Ability to upload and download files to/from the compromised host.
- **Command Execution:** Running arbitrary shell commands via a C2 interface.
### Advanced Features
- **Legitimate Digital Signature:** Use of EV code-signing certificates to establish trust and bypass Mark-of-the-Web (MotW) or AV warnings.
- **UAC Bypass:** Built-in capability to escalate or bypass User Account Control prompts.
- **Front-End C2 Portal:** The "business website" serves as the administrative interface for subscribers to manage their infected fleet.
## Indicators of Compromise
- **File Hashes (SHA256):** *(Note: Specific SHA256 hashes not provided in full in the text, but the following files are associated:)*
- `MsTeams.exe` (Initial dropper)
- `TrustConnectAgent.exe` (Primary RAT payload)
- **File Names:**
- `MsTeams.exe`
- `TrustConnectAgent.exe`
- `DocConnect` (Variant)
- `SHIELD OS v1.0` (Variant)
- **Network Indicators:**
- `trustconnectsoftware[.]com` (C2 and Marketing domain)
- `178[.]128[.]69[.]245` (C2 Infrastructure)
- **Behavioral Indicators:**
- Deployment of RMM-like capabilities from unsigned or newly signed binaries.
- Unexpected network traffic to digital ocean IP space (178[.]128.x.x).
## Associated Threat Actors
- **Redline Infostealer Customers:** Attributed with moderate confidence due to the use of the Telegram handle **@zacchyy09** for support/sales, which was previously linked to Redline and META infostealer operations (Operation Magnus).
## Detection Methods
- **Signature-based detection:** Monitor for files signed by the revoked TrustConnect EV certificate (revoked Feb 6, 2025).
- **Behavioral detection:**
- Detection of "Living off the Land" RMM behaviors (LolRMM) from non-standard binaries.
- Identification of `MsTeams.exe` running from non-standard directories (e.g., `%TEMP%` or `%APPDATA%`).
- **Network monitoring:** Flagging traffic to the known TrustConnect C2 domain or associated IP addresses.
## Mitigation Strategies
- **Certificate Validation:** Ensure systems are updated to recognize the revocation of the EV certificate used by TrustConnect.
- **AppLocker/Windows Defender Application Control (WDAC):** Restrict the execution of RMM tools to a known-good "allow list."
- **Email Filtering:** Block unsolicited emails containing links to executable files or "project packages" from external sources.
- **RMM Auditing:** Use tools like the LolRMM project to identify and audit all RMM software present in the environment.
## Related Tools/Techniques
- **ScreenConnect / LogMeIn Resolve:** Often deployed alongside TrustConnect.
- **Redline Infostealer:** Likely shared ownership or customer base.
- **DocConnect / SHIELD OS:** Rebranded variants of the TrustConnect payload.