Full Report
Threat actors are targeting freight brokers and trucking carriers with malicious links and emails to deploy remote monitoring and management tools (RMMs) that enable them to hijack cargo and steal physical goods. [...]
Analysis Summary
# Tool/Technique: Remote Monitoring and Management (RMM) Tools (General Use by Threat Actors)
## Overview
RMM tools are legitimate software primarily used for remote administration and support. Threat actors, in this context, deploy these tools to gain persistent, illicit **full remote control** over compromised systems belonging to freight brokers and trucking carriers to facilitate digitized cargo theft.
## Technical Details
- Type: Tool (Legitimate Software Abused)
- Platform: Windows (Inferred from common RMM deployment and credential harvesting tool locations)
- Capabilities: Full remote control, system reconnaissance, credential harvesting, blocking notifications, modifying critical business records (bookings).
- First Seen: Evidence of campaigns deploying these tools identified since January (of the reporting year).
## MITRE ATT&CK Mapping
Given the description focuses on the post-initial access goal of remote control and reconnaissance:
- **TA0001 - Initial Access:**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Implied by malicious link delivery leading to file execution)
- **TA0005 - Defense Evasion:**
- T1218 - Signed Binary Proxy Execution (RMM tools are often signed executables/MSIs)
- **TA0003 - Persistence:**
- T1547 - Boot or Logon Autostart Execution (Implied by need for continuous remote control)
- **TA0007 - Discovery:**
- T1082 - System Information Discovery
- **TA0006 - Credential Access:**
- T1555 - Credentials from Password Stores
## Functionality
### Core Capabilities
- Establishing persistent, unauthorized remote access to target systems.
- Modifying existing cargo bookings and shipment details.
- Disrupting defensive measures by blocking dispatcher email notifications.
- Adding attacker-controlled devices to legitimate dispatcher phone extensions for direct communication.
### Advanced Features
- **Impersonation:** Using the compromised carrier’s official MC email and FMCSA-listed phone number to interact with brokers and authorize fraudulent load pickups.
- **Tool Chaining:** RMMs are often used in tandem (e.g., PDQ Connect installing ScreenConnect and SimpleHelp).
- **Post-exploitation actions:** Conducting system/network reconnaissance followed by credential harvesting.
## Indicators of Compromise
- File Hashes: (Not provided in the text)
- File Names: Executables or installer MSI files downloaded after clicking malicious links. Installers for known RMMs (ScreenConnect, SimpleHelp, PDQ Connect, Fleetdeck, N-able, LogMeIn Resolve).
- Registry Keys: (Not explicitly provided)
- Network Indicators: Compromised load board accounts used for posting fraudulent listings; network activity associated with established RMM sessions.
- Behavioral Indicators: Execution of MSI installers or executables following malicious email links; unusual outbound connections originating from workstations to known RMM communication ports; unexpected modification of dispatch system settings or email forwarding rules.
## Associated Threat Actors
While the specific threat group is not named, the activity is linked to **organized crime groups** working to compromise entities within the surface transportation industry for financial gain (digitized cargo theft).
## Detection Methods
- Signature-based detection: Signatures for known file hashes of deployed malware/RMMs (if available).
- Behavioral detection: Alerting on the execution of legitimate RMM installers/executables from unusual sources (e.g., user download folders following email interaction). Monitoring network traffic patterns characteristic of RMM C2 communication.
- YARA rules: (Not provided in the text)
## Mitigation Strategies
- Restricting the installation of unapproved RMM tools across the network.
- Implementing stringent email gateway filters to block .EXE and .MSI file attachments.
- Monitoring network activity for unusual connections associated with remote access tools.
- Enhancing context for load negotiations to verify authenticity beyond email/phone correspondence with existing contacts.
## Related Tools/Techniques
**Abused RMM Tools Mentioned:**
* ScreenConnect
* SimpleHelp
* PDQ Connect
* Fleetdeck
* N-able
* LogMeIn Resolve
**Other Deployed Malware (Seen in related activities):**
* NetSupport (Also mentioned as an information stealer)
* DanaBot
* Lumma Stealer
* StealC
**Credential Harvesting Tool Used:**
* WebBrowserPassView
# Tool/Technique: ScreenConnect / SimpleHelp / PDQ Connect / Fleetdeck / N-able / LogMeIn Resolve
## Overview
These are legitimate Remote Monitoring and Management (RMM) products being abused by threat actors to gain persistent, full remote control over compromised systems within freight and logistics companies.
## Technical Details
- Type: Tool (Legitimate Software Abused)
- Platform: Various (Primarily Windows environments implied)
- Capabilities: Full remote desktop control, system monitoring, file system access, and configuration modification (e.g., changing routing/bookings).
- First Seen: Evidence of deployment since January (of the reporting year).
## MITRE ATT&CK Mapping
Focusing on the control and execution post-access:
- **TA0003 - Persistence:**
- T1133 - External Remote Services (Using the RMM to maintain necessary remote presence)
- **TA0011 - Command and Control:**
- T1071 - Application Layer Protocol (Using common protocols for RMM traffic)
## Functionality
### Core Capabilities
- Providing threat actors with the ability to see the screen, manipulate inputs, and control the target host remotely.
- Allowing for configuration changes necessary for cargo diversion (e.g., modifying booking details).
### Advanced Features
- Some RMMs (like PDQ Connect) are observed downloading and installing *other* RMMs, indicating a chained approach to ensure redundancy or access via different protocols/backdoors.
- Ability to operate stealthily or masquerade as legitimate administrative traffic, especially if RMM tools are already whitelisted in corporate environments.
## Indicators of Compromise
- File Hashes: (Not provided in the text)
- File Names: Installers associated with the noted RMM products deployed post-phishing click.
- Registry Keys: (Not explicitly provided)
- Network Indicators: Communications to legitimate RMM C2 infrastructure being reused by attackers.
- Behavioral Indicators: Installation of secondary RMMs following the installation of a primary one.
## Associated Threat Actors
Organized crime groups targeting the surface transportation sector.
## Detection Methods
- Behavioral detection: Focus on the *source* and *context* of RMM tool installation. If an RMM is installed outside of IT-managed provisioning controls, it should be flagged.
- Network monitoring: Detecting anomalous usage patterns or unusual geographic locations connecting to established RMM tool servers.
## Mitigation Strategies
- Implement a strict allow-list policy for all remote administration tools. If RMMs are necessary, ensure only corporate-managed instances are allowed to function.
- Monitor for unexpected deployments of RMM software.
## Related Tools/Techniques
Similar to the general section; RMMs are often abused alongside information stealers such as Lumma Stealer or WebBrowserPassView for reconnaissance.