SOC Prime Bias: High

15 Jun 2026 15:51 UTC
newspaper icon Cato Networks

From Fiscal Lures to NinjaOne RMM Abuse

Author Photo
SOC Prime Team linkedin icon Follow
From Fiscal Lures to NinjaOne RMM Abuse
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

An active phishing campaign is targeting Brazilian organizations by mimicking common business processes such as fiscal documentation and complaint handling. Rather than deploying conventional malware, the attackers deliver a legitimate NinjaOne Remote Monitoring and Management (RMM) agent that is configured for adversary-controlled access. By relying on trusted enterprise software, the operation is able to sidestep many traditional malware-based defenses.

Investigation

Cato CTRL researchers uncovered the campaign through analysis of Portuguese-language phishing pages and a redirection chain that made use of Google-hosted infrastructure. Their investigation exposed several anti-analysis measures, including Brazil-focused geofencing, browser fingerprinting, and sandbox detection logic. A pivot based on a reused Earth-themed wallpaper image also helped link the activity to additional attacker-controlled domains.

Mitigation

Organizations should enforce strict controls around installation of unauthorized Remote Monitoring and Management tools. Security teams should improve monitoring for unexpected software deployment and carefully verify requests tied to fiscal records or other business-related documents. Blocking the known malicious domains and strengthening email security to detect phishing redirection chains can further reduce exposure.

Response

If this activity is detected, security teams should isolate affected endpoints immediately to stop further access through the RMM agent. Investigators should determine how the NinjaOne installation was initiated and review audit logs for unauthorized administrative actions. Coordination with endpoint management vendors may also be required to identify and disable compromised management profiles.

"graph TB %% Class Definitions Section classDef action fill:#99ccff classDef evasion fill:#ff99cc classDef tool fill:#cccccc classDef execution fill:#ccffcc classDef operator fill:#ff9900 %% Node Definitions %% Initial Access Phase action_phishing["<b>Action</b> – <b>T1566.002 Phishing: Spearphishing Link</b><br/>Attacker sends emails containing links<br/>hidden behind a bc.googleusercontent.com<br/>redirection chain."] class action_phishing action %% Evasion and Guardrail Phase evasion_geofencing["<b>Action</b> – <b>T1665 Hide Infrastructure</b><br/>Use of geofencing to restrict payload<br/>delivery to specific Brazilian IP ranges."] class evasion_geofencing evasion evasion_keying["<b>Action</b> – <b>T1480.001 Execution Guardrails: Environmental Keying</b><br/>The infrastructure employs environmental<br/>keying to ensure execution only occurs<br/>on target systems."] class evasion_keying evasion evasion_browser["<b>Action</b> – <b>T1217 Browser Information Discovery</b><br/>The phishing portal collects browser<br/>information to facilitate evasion."] class evasion_browser evasion evasion_sandbox["<b>Action</b> – <b>T1497.002 Virtualization/Sandbox Evasion: User Activity Based Checks</b><br/>Checks for automation frameworks like<br/>Selenium or Puppeteer and validates<br/>human presence via mouse movement."] class evasion_sandbox evasion op_check(("AND")) class op_check operator %% Execution Phase op_validation(("AND")) class op_validation operator action_user_exec["<b>Action</b> – <b>T1204.002 User Execution: Malicious File</b><br/>Victim is socially engineered into<br/>downloading a file appearing as a<br/>business document."] class action_user_exec execution tool_rmm_installer["<b>Tool</b> – <b>Name</b>: NinjaOne RMM Installer<br/><b>Description</b>: A legitimate RMM agent installer<br/>(e.g., NinjaOne-Agent-DocumentoFiscal) used<br/>to mask malicious intent."] class tool_rmm_installer tool %% Persistence and Control Phase action_software_ext["<b>Action</b> – <b>T1176 Software Extensions</b><br/>Installation of the RMM agent to<br/>extend system capabilities."] class action_software_ext execution tool_remote_access["<b>Tool</b> – <b>T1219 Remote Access Tools</b><br/>Use of the installed RMM agent for<br/>persistent command and control,<br/>reconnaissance, and command execution."] class tool_remote_access tool %% Connections %% Initial flow action_phishing –>|leads_to| evasion_geofencing evasion_geofencing –>|leads_to| evasion_keying evasion_keying –>|leads_to| op_check %% Evasion logic branch op_check –>|checks| evasion_browser op_check –>|checks| evasion_sandbox evasion_browser –>|leads_to| op_validation evasion_sandbox –>|leads_to| op_validation %% Execution flow op_validation –>|if_legitimate| action_user_exec action_user_exec –>|downloads| tool_rmm_installer tool_rmm_installer –>|facilitates| action_software_ext action_software_ext –>|enables| tool_remote_access "

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

  • Attack Narrative & Commands: An adversary is conducting a targeted spearphishing campaign against Brazilian users. The attacker sends an email with the subject “Documento Fiscal” containing a link to a malicious site hosted on sefaz.services. The link redirects through a googleusercontent.com URL to ultimately deliver a NinjaOne RMM agent payload. This simulation will inject a synthetic log entry into the proxy stream that mimics this specific sequence to validate the Sigma rule.

  • Regression Test Script:

    # Python script to simulate the injection of a malicious proxy log entry
import datetime

def generate_malicious_log():
    timestamp = datetime.datetime.utcnow().isoformat()
    # Mimicking the 'selection_domains' and 'selection_url' logic
    log_entry = {
        "timestamp": timestamp,
        "src_ip": "192.168.1.50",
        "dest_ip": "104.21.45.12",
        "url": "https://storage.googleapis.com/googleusercontent.com/payloads/malware.exe",
        "domain": "sefaz.services",
        "subject": "Documento Fiscal - Urgente",
        "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
    }

    print(f"INJECTING SYNTHETIC PROXY LOG: {log_entry}")
    # In a real scenario, this would be sent to a syslog endpoint or ingested via API
    return log_entry

if __name__ == "__main__":
    generate_malicious_log()

  • Cleanup Commands:

    # No persistent changes are made to the system; 
# If logs were sent to a live SIEM, delete the specific test entry via SIEM API.
echo "Simulation complete. No host cleanup required."

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free