Full Report
Remote administration tools, also known as RAT, are software that provide the ability to manage and control terminals at remote locations. Recently, there has been an increase in cases where remote administration tools are installed instead of backdoor malware during the initial access or lateral movement phases to control the target system. This is […] 게시물 Infected Systems Controlled Through Remote Administration Tools – Detected by EDR (2)이 ASEC에 처음 등장했습니다.
Analysis Summary
# Incident Report: Abuse of Legitimate Remote Administration Tools for System Control
## Executive Summary
This incident summary details a growing trend where threat actors are intentionally installing legitimate Remote Administration Tools (RATs) like GotoHTTP, RustDesk, Atera, and ConnectWise ScreenConnect, instead of traditional backdoor malware, to gain initial access or maintain lateral movement. This tactic is effective because these tools, being legitimate software, often evade conventional anti-malware detection mechanisms. The primary impact is the uncontested remote takeover of compromised systems, which has been linked to ransomware operations (e.g., Akira, BlackSuit, ALPHV/BlackCat, Hive).
## Incident Details
- **Discovery Date:** Ongoing analysis throughout the second half of 2024 (based on observed trends).
- **Incident Date:** Ongoing, with specific observations starting in the second half of 2024.
- **Affected Organization:** Multiple, unspecified organizations targeted via improperly managed MS-SQL servers and LNK file distribution.
- **Sector:** Various, including organizations targeted through MS-SQL server exploitation.
- **Geography:** Not explicitly disclosed, but detection is based on AhnLab EDR activity, suggesting activity across monitored environments (initially Korea-centric context).
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing, with specific observation of GotoHTTP installation occurring since the second half of 2024.
- **Vector:** Exploitation of improperly managed MS-SQL servers (for GotoHTTP); Installation via LNK file disguised as a PDF document (documented for Atera).
- **Details:** Threat actors sought easy entry by leveraging pre-existing vulnerabilities (like weak MS-SQL configuration) or social engineering (LNK files).
### Lateral Movement
- **Details:** Legitimate RATs are installed to facilitate remote control, sometimes taking the place of traditional malware used during this stage. Tools like Atera and ScreenConnect are known to be used by ransomware groups during lateral movement phases.
### Data Exfiltration/Impact
- **Impact:** Unspecified instances of data compromise or deployment of secondary payloads (like ransomware) are implied, given the association with groups like Akira and BlackSuit. The direct impact is unauthorized remote control provided by the RATs.
### Detection & Response
- **How it was discovered:** AhnLab EDR proactively monitored and detected the execution and installation behaviors of these otherwise benign-looking remote administration tools.
- **Response actions taken:** Administrators were alerted by EDR detections (e.g., `Execution/EDR.GotoHTTP.M12139`) allowing them to identify the cause, respond appropriately, and prevent recurrence.
## Attack Methodology
- **Initial Access:** Exploiting vulnerable MS-SQL servers; Social engineering (LNK file disguised as PDF).
- **Persistence:** Achieved through installing persistent remote control software (RATs).
- **Privilege Escalation:** Not explicitly detailed, but necessary to install the remote tools.
- **Defense Evasion:** Key technique; utilizing legitimate, whitelisted remote administration tools (AnyDesk, RustDesk, GotoHTTP, Atera, ScreenConnect) to bypass signature-based anti-malware detection.
- **Credential Access:** Not explicitly detailed, but required to gain initial access to MS-SQL.
- **Discovery:** Not detailed.
- **Lateral Movement:** Use of installed RATs to control newly infected hosts.
- **Collection:** Not detailed.
- **Exfiltration:** Not detailed regarding the final data transfer, though ransomware deployment indicates data staging often precedes exfiltration.
- **Impact:** System takeover, enabling subsequent ransomware deployment or other malicious actions.
## Impact Assessment
- **Financial:** Not quantified, but implied via connection to ransomware groups.
- **Data Breach:** Potential for sensitive data loss due to remote access provided to ransomware affiliates.
- **Operational:** Risk of significant operational downtime due to potential ransomware deployment following system compromise.
- **Reputational:** Risk associated with compromise by notorious ransomware groups.
## Indicators of Compromise
*(Note: IOCs are provided here as generic execution behaviors noted by the EDR, not specific file hashes or IPs, as per instructions to defang/summarize detections)*
- **Network indicators:** Not detailed (as legitimate tools use known ports/protocols).
- **File indicators:** Not detailed.
- **Behavioral indicators:**
- Execution/EDR.GotoHTTP.M12139
- Execution/DETECT.RustDesk.M12042
- Execution/EDR.Atera.M11764
- Execution/EDR.ScreenConnect.M11766
## Response Actions
- **Containment measures:** Identifying the installed RATs (GotoHTTP, RustDesk, Atera, ScreenConnect) based on EDR alerts.
- **Eradication steps:** Removing unauthorized remote access software.
- **Recovery actions:** Restoring affected systems and hardening initial access vectors (e.g., securing MS-SQL servers).
## Lessons Learned
- Traditional anti-malware products have significant limitations in detecting and blocking legitimate remote administration tools when they are being abused maliciously.
- Threat actors are intentionally pivoting to using legitimate software to achieve stealthier persistence and control.
- Tools like GotoHTTP, RustDesk, Atera, and ScreenConnect are being actively leveraged by prominent threat actors, including ransomware affiliates.
## Recommendations
- **Implement Next-Generation Endpoint Security:** Deploy and heavily rely on Endpoint Detection and Response (EDR) solutions capable of behavior-based detection, rather than relying solely on signature-based anti-malware.
- **Monitor Legitimate Software Usage:** Establish specific monitoring rules for the execution and installation of known remote administration tools, even if they are whitelisted for legitimate business use.
- **Harden Initial Vectors:** Immediately patch and properly configure susceptible systems, specifically targeting weak MS-SQL server security.
- **User Awareness:** Increase awareness regarding LNK files and social engineering that leads to the installation of remote control software.