Executive Summary

A new social engineering campaign is abusing user trust and legitimate software to gain persistent access to victim systems. The attack uses a voicemail-themed lure to persuade targets to install a legitimate Remote Monitoring and Management (RMM) tool, Remotely RMM. Unlike attacks that exploit software vulnerabilities, this campaign's success hinges entirely on tricking the user into authorizing the installation. Once the RMM tool is installed, the attacker gains full administrative control over the compromised device, allowing for silent data exfiltration, surveillance, and deployment of additional malware. This tactic is effective because it uses signed, legitimate software that is often trusted by security products, allowing the attacker's activity to blend in with normal administrative traffic.

Threat Overview

The campaign, tracked by security firm Censys, is a classic example of abusing legitimate tools, a technique often referred to as "Living off the Land." The attack flow is simple but effective:

1. Lure: The target receives a phishing email, often appearing to be from a bank or other trusted entity, with a subject line about a new voicemail message.
2. Redirection: A link in the email directs the user to a professionally designed landing page with a button to "listen to your message."
3. Social Engineering: Clicking the button does not play a message. Instead, it initiates a download and prompts the user with a series of instructions to install the Remotely RMM client.
4. Compromise: The user, believing they are installing an audio player or plugin, approves the installation. The RMM client is installed and automatically connects back to an RMM server controlled by the threat actor.

Once the device is enrolled, the attacker has the same capabilities as a legitimate IT administrator, including file system access, remote shell, process management, and screen viewing.

Technical Analysis

The key to this attack is the abuse of Remotely RMM, an open-source RMM solution. The attackers host their own Remotely RMM server and configure the installer to automatically connect to it. Because Remotely RMM is a legitimate tool with a valid digital signature, it is less likely to be flagged as malicious by traditional antivirus software. The campaign has been observed using German-language lures, suggesting a focus on that region, but the technique can be easily adapted for any language or target.

This attack bypasses many technical defenses because it does not rely on an exploit. The user is the one who authorizes the software installation. The attacker's C2 traffic is also difficult to detect, as it is simply legitimate RMM protocol traffic going to the attacker's server.

MITRE ATT&CK Mapping

• T1566.002 - Phishing: Spearphishing Link: Use of a link in an email to direct the user to a malicious site.
• T1204.001 - User Execution: Malicious Link: Relies on the user clicking the link to initiate the attack.
• T1219 - Remote Access Software: The core of the attack is the installation of legitimate RMM software for malicious purposes.
• T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder: RMM software typically configures itself to run at startup to maintain persistence.

Impact Assessment

A successful attack results in a complete and persistent compromise of the victim's workstation. The attacker can silently monitor user activity, steal sensitive files and credentials, and use the compromised machine as a beachhead to move laterally within the network. Because the C2 traffic appears as legitimate RMM activity, the compromise can go undetected for long periods. This type of access is highly valuable for both cybercriminals (for financial fraud or ransomware deployment) and espionage actors (for long-term intelligence gathering).

Cyber Observables for Detection

Detection & Response

1. Application Allowlisting: The most effective defense is to implement application allowlisting, preventing any unauthorized software, including unapproved RMM tools, from being executed. This is an application of D3-EAL: Executable Allowlisting.
2. Network Egress Filtering: Block outbound traffic on ports commonly used by RMM tools, except to known, sanctioned RMM servers used by your IT department. This aligns with D3-OTF: Outbound Traffic Filtering.
3. EDR/Asset Inventory: Use an EDR or asset inventory system to maintain a list of all installed software. Regularly scan for and alert on the presence of unauthorized RMM tools like Remotely RMM.

Mitigation

1. User Training: This attack is entirely dependent on social engineering. Train users to be highly suspicious of any request to install software, especially when it originates from an unsolicited email. Teach them to verify such requests through official channels.
2. Restrict Installation Privileges: Enforce the principle of least privilege by removing local administrator rights from standard user accounts. This prevents users from being able to install software like RMM agents.
3. Email Filtering: Enhance email security gateways to better detect and block emails with lures related to voicemails or from suspicious, newly registered domains.