Full Report
Cybersecurity researchers are warning of a new campaign that's targeting Portuguese-speaking users in Brazil with trial versions of commercial remote monitoring and management (RMM) software since January 2025. "The spam message uses the Brazilian electronic invoice system, NF-e, as a lure to entice users into clicking hyperlinks and accessing malicious content hosted in Dropbox," Cisco Talos
Analysis Summary
This summary focuses on the primary campaign described in the article, which abuses RMM software in Brazil, and also briefly lists the other campaigns mentioned for context.
# Tool/Technique: N-able RMM Remote Access & PDQ Connect (Abuse)
## Overview
A recent spam campaign targeting Portuguese-speaking users in Brazil since January 2025 uses fake NF-e (Brazilian electronic invoice system) lures to trick victims into installing legitimate trial versions of Commercial Remote Monitoring and Management (RMM) software, such as N-able RMM Remote Access and PDQ Connect. This grants threat actors initial access and remote control, often followed by the installation of secondary malware like ScreenConnect. The activity is attributed to an Initial Access Broker (IAB).
## Technical Details
- Type: Tool (Abused Legitimate Software)
- Platform: Windows (Implied by RMM targets and context)
- Capabilities: File system access (read/write), remote command execution, persistence mechanisms (via legitimate software installation).
- First Seen: January 2025
## MITRE ATT&CK Mapping
*Note: Mapping reflects the *abuse* of RMM tools for initial access and control.*
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Via malicious links in emails)
- T1078 - Valid Accounts (Implied through exploitation of RMM free trials using legitimate keys/accounts)
- T1021 - Remote Services
- T1021.004 - Server Software (Abusing the RMM agent functionality)
## Functionality
### Core Capabilities
- Initial access provision via socially engineered emails (Brazilian NF-e lures).
- Installation of fully-featured, digitally signed remote access agents (N-able RMM, PDQ Connect).
- File system manipulation on the compromised host.
### Advanced Features
- Use of legitimate, signed RMM tools reduces immediate suspicion from security controls.
- Potential for secondary payload deployment (e.g., ScreenConnect) after initial access is established via the first RMM agent.
- Cost-effective for attackers as they leverage free trial versions.
## Indicators of Compromise
- File Hashes: [Not explicitly provided in the text]
- File Names: [A binary installer for the RMM tool]
- Registry Keys: [Not explicitly provided in the text]
- Network Indicators: [C2 communication uses legitimate infrastructure provided by the RMM vendor]
- Behavioral Indicators: Execution of initial installation binaries obtained from Dropbox links delivered via spam email related to financial/billing issues.
## Associated Threat Actors
- Initial Access Broker (IAB) (Assessed with high confidence).
## Detection Methods
- Signature-based detection: Detection of specific RMM installer binaries or malicious Dropbox links.
- Behavioral detection: Monitoring for the initial installation and subsequent execution of non-standard RMM agents, especially when triggered by suspicious email activity (NF-e lures).
- YARA rules: [Not provided in the text]
## Mitigation Strategies
- N-able has disabled affected trial accounts.
- Enhanced scrutiny of emails containing financial/billing lures, especially those referencing NF-e systems.
- Reviewing endpoint allowances for the installation of commercial RMM trial software.
- Implementing strict application control policies to limit unauthorized software installation.
## Related Tools/Techniques
- **Associated Malware/Threats mentioned in the article context:** Grandoreiro (related to Hive0148 campaign), Formbook, Ratty RAT, AsyncRAT.
- **Associated Attack Techniques mentioned in the article context:** AitM phishing (Tycoon 2FA), use of encoded JavaScript in SVG, abuse of Cloudflare tunneling.
***
### Summary of Other Mentioned Campaigns (Contextual Information)
The article also notes an increase in sophisticated phishing campaigns utilizing various techniques:
| Threat/Malware | Associated Actor | Primary Lure/Technique | Targeted Region | Key Capability |
|---|---|---|---|---|
| **Grandoreiro** | Hive0148 | Spam/Phishing | Mexico, Costa Rica | Banking Trojan |
| **GetShared** Abuse | N/A | Legitimate file-sharing service abuse | N/A | Malware distribution |
| **Formbook** | N/A | Sales order-themed lures, MS Word (CVE-2017-11882) | Poland (Implied) | Infostealer |
| **Ratty RAT** | N/A | Invoice/PDF Lures, Geofencing | Spain, Italy, Portugal | RAT (Remote Command Execution, Keystroke Logging) |
| **Tycoon 2FA** | N/A | AitM Phishing Kit, Milanote App Abuse | N/A | Credential Harvesting (MFA bypass) |
| Various Techniques | N/A | Encoded JS in SVG, PDF attachments, OneDrive URL rendering, MHT payloads | N/A | Credential Harvesting/Phishing |
| **AsyncRAT** | N/A | Abuse of Cloudflare TryCloudflare tunneling | N/A | Malware Deployment |