Follow
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
Threat actors are using malicious PDF lures to funnel users to counterfeit Google Drive pages that advertise “video” downloads. Instead of media files, the sites deliver signed RMM installers—including tools such as Syncro, ScreenConnect, NinjaOne, and SuperOps—that provide attackers with reliable remote access and persistence on compromised endpoints.
Investigation
AhnLab observed PDF-based phishing activity leveraging filenames such as Invoice_Details.PDF and redirecting victims to domains like adobe-download-pdf.com or a lookalike drivegoogle.com portal. The delivered RMM installers were signed with a reused certificate and included installation parameters (for example, a key and customer ID) consistent with staged or automated deployments. The installers were produced using common packaging frameworks such as Advanced Installer or NSIS and, in some cases, acted as a bootstrapper to retrieve additional payloads after execution.
Mitigation
Limit or block execution of unauthorized RMM tooling, including binaries that are unsigned or unexpectedly signed, and enforce stronger controls for installing remote access software. Apply strict email attachment inspection to detect PDF lures and suspicious redirect behavior, and block known malicious domains at the gateway and proxy layers. Verify code-signing certificates and publisher details before permitting installation, keep approved RMM products patched, and restrict their use to explicitly authorized administrators.
Response
Alert when RMM installers execute from untrusted sources and when endpoints access the identified filenames, URLs, or redirect patterns. Isolate impacted hosts, collect installer artifacts and execution telemetry, and perform forensic triage to identify any secondary payloads downloaded post-install. Remove the rogue RMM agent, reset potentially exposed credentials, and expand hunting for related RMM deployment attempts across the environment.
"graph TB %% Class definitions classDef action fill:#99ccff classDef file fill:#ffdd99 classDef tool fill:#ffcc99 classDef malware fill:#ff9999 classDef process fill:#dddddd %% Node definitions attack_phishing["<b>Action</b> – <b>T1566.001 Spearphishing Attachment</b><br/>Victim receives email with malicious PDF attachment"] class attack_phishing action file_pdf["<b>File</b> – <b>T1204.002 User Execution</b><br/>Malicious PDF opened by victim"] class file_pdf file page_masquerade["<b>Action</b> – <b>T1036.008 Masquerading</b><br/>PDF redirects to counterfeit Google Drive page"] class page_masquerade action installer_signed["<b>File</b> – <b>T1553.002 Subvert Trust Controls</b><br/>Installer signed with legitimateu2011looking certificate"] class installer_signed file exe_masquerade["<b>File</b> – <b>T1036.001 Masquerading</b><br/>Installer masquerades as a valid executable"] class exe_masquerade file nsis_payload["<b>Malware</b> – <b>T1027.009 Embedded Payloads</b><br/>NSIS package embeds additional malicious components"] class nsis_payload malware rmm_tool["<b>Tool</b> – <b>T1219 Remote Access Software</b><br/>Syncro / NinjaOne / SuperOps / ScreenConnect installed"] class rmm_tool tool remote_desktop["<b>Process</b> – <b>T1219.002 Remote Desktop</b><br/>Provides remote desktop capabilities to attacker"] class remote_desktop process %% Connections showing attack flow attack_phishing –>|delivers| file_pdf file_pdf –>|opens_and_triggers| page_masquerade page_masquerade –>|offers_download_of| installer_signed installer_signed –>|masquerades_as| exe_masquerade exe_masquerade –>|contains| nsis_payload nsis_payload –>|installs| rmm_tool rmm_tool –>|enables| remote_desktop "
Attack Flow
Detections
Possible RMM Software Installation Attempt Using MsiInstaller (via application logs)
View
Alternative Remote Access / Management Software (via system)
View
Alternative Remote Access / Management Software (via audit)
View
Alternative Remote Access / Management Software (via process_creation)
View
Possible Command and Control Activity by Remote Access Software Domain Communication Attempt (via dns)
View
IOCs (HashMd5) to detect: Malware Disguised as Video Files Using RMM Tools (Syncro, SuperOps, NinjaOne, etc)
View
Malicious Use of RMM Tools via PDF Phishing [Windows Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands:
-
Phishing Delivery: The adversary sends a spear‑phishing email with a malicious PDF titled “Invoice #12345.pdf”. The PDF contains a malicious JavaScript payload that, when opened, drops
Syncro.exeinto%TEMP%. -
Execution: The payload runs a PowerShell command to bypass execution policy and launch the binary:
powershell -NoP -W Hidden -Exec Bypass -Command "Start-Process -FilePath "$env:TEMPSyncro.exe" -ArgumentList '/silent'" -
Resulting Telemetry: Windows records an Event ID 4688 with
Image = C:Users<user>AppDataLocalTempSyncro.exe, matching the Sigma rule’sImage|endswith: 'Syncro.exe'. The alert is generated with High severity.
-
-
Regression Test Script: The following script reproduces the exact behavior in a controlled lab environment. It copies a known RMM binary (for test purposes) to the temp directory and executes it with a benign flag, ensuring the same process‑creation event is emitted.
# ------------------------------------------------- # Simulation Script – Trigger RMM‑Tool Process Rule # ------------------------------------------------- # Prerequisites: # - A copy of Syncro.exe placed in C:Tools (legitimate binary for testing) # - Administrative rights to write to %TEMP% # ------------------------------------------------- $src = "C:ToolsSyncro.exe" $dest = "$env:TEMPSyncro.exe" Write-Host "[*] Copying RMM binary to temporary location..." Copy-Item -Path $src -Destination $dest -Force Write-Host "[*] Executing the binary to generate process‑creation telemetry..." Start-Process -FilePath $dest -ArgumentList '/silent' -WindowStyle Hidden Write-Host "[+] Execution complete. Verify detection in SIEM." # ------------------------------------------------- -
Cleanup Commands: Remove the test binary and terminate any lingering processes.
# Terminate any stray Syncro processes Get-Process -Name "Syncro" -ErrorAction SilentlyContinue | Stop-Process -Force # Delete the temporary copy Remove-Item -Path "$env:TEMPSyncro.exe" -Force -ErrorAction SilentlyContinue Write-Host "[*] Cleanup completed."