2025-09-25 (Thursday): I received an email distributing a malicious installer for an #RMM tool.

More info at https://github.com/malware-traffic/indicators/blob/main/2025-09-25-RMM-tool-distributed-through-email.txt

MSPs don’t struggle because of lack of tools. They struggle because tools don’t talk to each other. 😰

That’s where the DeskDay + Level RMM integration changes the game. It’s not just about connecting systems; it’s about building a workflow that finally makes sense for MSPs.

Here’s how the integration helps your team move faster and smarter.
Read the full breakdown here: https://deskday.com/how-deskday-psa-level-rmm-integration-transforms-msp-operations/

#mspticketing #MSPSolutions #MSP #psaformsp #PSA #helpdeskautomation #level
#rmm #psa #psa

🦠 Malware Analysis
===================

🎯 Threat Intelligence

Executive summary: Recent investigations reveal a repeatable campaign where attackers abuse ConnectWise ScreenConnect installers hosted in open directories to distribute AsyncRAT and a custom PowerShell RAT.
The campaign combines trusted RMM footprints, ClickOnce pivots and payload containers that evade signature-based detection.

Technical details:
• Observed payloads include AsyncRAT and a bespoke PowerShell RAT delivered alongside trojanized ScreenConnect installers.
• Infrastructure enumeration identified multiple hosts (examples:
176.65.139.119, 45.74.16.71, 164.68.120.30) and repeated file names such as logs.ldk, logs.idk, logs.idr ranging from ~60 KB to 3 MB.
• Execution techniques show two distinct code paths: in-memory .NET Assembly.Load for AV‑guarded environments and native injection via libPK.dll::Execute otherwise.
• Persistence mechanisms include scheduled tasks named SystemInstallTask and 3losh with aggressive intervals (every 2–10 minutes).
• Network/C2 tradecraft spans common ports (21/80/111/443) and high ephemeral ranges (30,000–60,000), often wrapped in TLS.

🔹 Attack Chain Analysis
• Initial Access / Phishing: ClickOnce pivots (e.g., police.html → galusa.ac.mz → dual.saltuta.com) delivering a launcher from /Bin/ paths.
• Download: Trojanized ScreenConnect installer retrieved from open directory hosting.
• Execution: Dual paths — Assembly.Load into memory or libPK.dll native injection.
• Persistence: Creation of scheduled tasks with short recurrence.
• C2 / Telemetry: AsyncRAT beaconing over standard and ephemeral ports with TLS.

Impact & analysis: Abusing legitimate RMM installers introduces supply‑chain‑like risk; trusted installer footprints lower detection fidelity and enable long dwell times. Fresh or repackaged containers missing from VirusTotal indicate active re‑use and rapid churn.

Detection guidance:
• Monitor for creation of scheduled tasks named SystemInstallTask/3losh and unusual recurrence intervals.
• Alert on processes performing .NET Assembly.Load from nonstandard locations and on native DLLs named libPK.dll performing injection-like behaviors.
• Hunt for open directory listings exposing logs.ldk|logs.idk|logs.idr and ClickOnce /Bin/ URL patterns.

Mitigations:
• Harden RMM deployment processes, restrict installer hosting and validate installer hashes.
• Block or monitor suspicious open directory access and implement strict egress controls for ephemeral port ranges.
• Enforce application allowlisting and endpoint behavioral detections for in-memory assembly loads and DLL injection.

🔹 AsyncRAT #ScreenConnect #ClickOnce #RMM #C2

🔗 Source: https://hunt.io/blog/asyncrat-screenconnect-open-directory-campaigns

RMM Tools: The Good, The Bad, and the Quietly Terrifying: https://abcbyd.substack.com/p/rmm-tools-the-good-the-bad-and-the

#rmm

🚨 Job Seekers, watch out! 🚨 Proofpoint researchers have observed multiple email campaigns impersonating job interview invites from real companies and recruiters.

These emails claim to offer opportunities via Zoom or Teams, but instead lead recipients to install remote management tools (RMM) like SimpleHelp, ScreenConnect, or Atera.

Here's what you need to know:

💻 What’s the threat?
While RMM tools are used legitimately by IT teams, in the hands of cybercriminals, they function like remote access trojans (RATs)—granting attackers full access to your computer, data, and finances.

📬 In one case, a hacked LinkedIn account posted a real job description but swapped in a malicious Gmail address. Proofpoint later discovered this address being used to send fake interview invites to job seekers who had applied.

🔍 How are they doing it?

Threat actors may:

• Create fake job listings to harvest emails
• Hack recruiter inboxes or LinkedIn accounts
• Use lists of stolen email addresses

🎯 This trend is part of a broader wave of cyberattacks where RMM/RAS (remote access software) is used as the initial payload—blending in with normal traffic before launching further attacks like data theft or ransomware.

⚠️ If you're job hunting, stay alert:

• Double-check email sender names and domains
• Be wary of .exe files or suspicious URLs
• If something feels off, trust your instinct

Read more from our threat research team on threats using RMM tools: https://www.proofpoint.com/us/blog/threat-insight/remote-monitoring-and-management-rmm-tooling-increasingly-attackers-first-choice

#OpenToWork #JobSearch #JobScam #RMM