Full Report
Researchers at phishing defense company Cofense say hackers are spreading a malicious remote access tool through a fake Binance page that offers access to the TRUMP coin.
Analysis Summary
# Tool/Technique: ConnectWise RAT
## Overview
ConnectWise RAT (Remote Access Tool) is being distributed via a sophisticated phishing campaign impersonating the **Binance** cryptocurrency platform. The goal of the campaign is to trick victims into downloading and installing a malicious version of this legitimate remote access software, which grants threat actors immediate remote control over the infected machine for information theft.
## Technical Details
- Type: Tool (Abused Legitimate Software/Remote Access Trojan)
- Platform: Windows (Implied by targeting standard desktop applications)
- Capabilities: Immediate remote control takeover, connection established within 2 minutes, targeted password theft from browsers.
- First Seen: General tool abuse noted recently by Cofense, with specific campaign activity highlighted.
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Implied delivery mechanism)
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- **TA0009 - Collection**
- T1555 - Credentials from Password Stores
- T1555.003 - Credentials from Password Managers
## Functionality
### Core Capabilities
- Establishing immediate remote control over infected hosts (often within 2 minutes of check-in).
- Capability to impersonate legitimate software installers (e.g., Binance desktop platform).
- Easy to set up and free to use, contributing to its popularity among various threat actor skill levels.
### Advanced Features
- **Rapid Takeover:** Threat actors actively and swiftly connect to infected hosts, unlike many standard ConnectWise installations where access may be delayed.
- **Targeted Credential Harvesting:** Specifically targets saved passwords from applications like Microsoft Edge, compensating for the RAT's "relative lack of information theft capabilities."
- **Legitimacy Evasion:** Because the tool is technically legitimate, many file hashes associated with its operation cannot be easily blocked as they are shared with legitimate installations.
## Indicators of Compromise
- File Hashes: [Not specified in the context]
- File Names: Installer file distributed via the phishing link, disguised as legitimate Binance software.
- Registry Keys: [Not specified in the context]
- Network Indicators: [Not specified in the context, communication uses established, legitimate RAT protocols]
- Behavioral Indicators: Immediate remote connection establishment post-infection; attempts to locate and steal saved browser credentials (Microsoft Edge).
## Associated Threat Actors
- Threat actors of varying skill levels, from novice operators to Advanced Persistent Threat (APT) groups, are known to abuse the tool.
- The specific group behind the Binance campaign is currently unknown to researchers at Cofense.
## Detection Methods
- Signature-based detection: Difficult due to the use of legitimate binaries shared with genuine ConnectWise installations.
- Behavioral detection: Monitoring for immediate, unexpected remote control sessions initiated shortly after a new software installation, especially if paired with credential access attempts.
- YARA rules: [Not specified in the context]
## Mitigation Strategies
- Employee training focused on identifying sophisticated social engineering related to cryptocurrency platforms (Binance, TRUMP coin scams).
- Strict application control policies to limit the execution of unapproved remote access tools.
- Endpoint Detection and Response (EDR) systems configured to detect post-installation remote connection activities, particularly those targeting password stores.
- Multi-Factor Authentication (MFA) implementation across all critical user accounts to limit the usefulness of stolen credentials.
## Related Tools/Techniques
- ConnectWise ScreenConnect (The genuine, legitimate software often abused).
- Other remote access tools frequently leveraged in similar phishing campaigns (e.g., ScreenConnect, as noted in related Cofense reports).