When Tools Turn Threats: How Legitimate Remote Control Software Is Being Abused as Remote Access Trojans (RATs)

Latest Posts
Threats
Vulnerabilities

When Tools Turn Threats: How Legitimate Remote Control Software Is Being Abused as Remote Access Trojans (RATs)

by Mike Puglia

2 min read

A Remote Access Trojan (RAT) is a type of malware that allows an attacker to gain full access to a system as if they were physically present on the keyboard. As antivirus and antimalware have improved at detecting malicious applications, bad actors have increasingly turned to using legitimate remote control tools as RATs.

Legitimate remote control tools are often trusted or whitelisted by endpoint security products and firewalls offering attackers stealthy access to compromised systems.

Kaseya Labs Data

During recent compromise investigations, the Kaseya Labs SOC Team has found just over 10% of incidents involving the use legitimate remote control tools as part of the attack chain. In these circumstances, the remote access tool was installed post-compromise to provide the bad actor with persistence to the environment. Once established, attackers leverage this access to conduct lateral movement, exfiltration of data and ultimately, if other techniques were not detected, ransomware deployment.

Additionally, in environments where servers had outbound firewall rules in place, a compromised workstations were essentially used as a jump server from within the network to bypass those controls.

What Can You Do About It?

RocketCyber and Datto EDR monitor for legitimate remote control tools and provide the ability to suppress alerts on the vendor you are using to detect “unapproved” tools.

Additionally, we have built a PowerShell script that you can run on Windows endpoints to detect if popular remote control tools are already running on the machine (i.e. the machine is already compromised). This script will detect popular remote control tools and save the results to a file titled RAS_Detection_.log and includes detection for: AnyDesk, TeamViewer, Chrome Remote Desktop, LogMe In, RealVNC, TightVNC, UltraVNC, Remote Utilities, Splashtop, Connectwise/ScreenConnect, GoToMyPC, Ammyy Admin, Anyviewer, Atera, pcAnywhere, Supremo, Syncro, SuperOps, Zoho, N-able Take Control, Dameware, BeyondTrust (Bomgar).

The script can be downloaded below:

Detect_RemoteAccessSoftwareDownload

Mike Puglia

General Manager, Security Products

Mike Puglia brings over 25 years of technology, strategy, and cybersecurity experience to his role as Kaseya’s General Manager of Security Products. He is responsible for all products across Kaseya’s portfolio of security solutions.

Prior to joining Kaseya, Mike led the technical program management integration of real-time collaboration technologies into Salesforce’s Chatter Social Enterprise platform. Earlier in his career, Mike served in technical and product roles at applications security company Veracode, database security company Lumigent Technologies and network security Bluesocket.

Mike holds a Bachelor of Science in Electrical Engineering from the University of New Hampshire and an MBA from the Carroll Graduate School of Management at Boston College.