- Proofpoint uncovered fake RMM tool “TrustConnect” built as cover for RAT malware
- Criminals created site, paid for certificate, tricked companies into $300/month subscriptions
- The tool gave the attackers full remote control; linked to Redline infostealer customer
A group of cybercriminals went to great lengths to infect companies with a remote access trojan (RAT), set up an entire company, vibe code a website, and pay thousands for a legitimate certificate.
In its report, Proofpoint said it was quite common for cybercriminals to use legitimate remote monitoring and management (RMM) tools in their technology stack. They would trick their victims into installing their favorite tool and share login information, which would enable them to deploy all sorts of stage-two malware, including info stealers, remote access Trojans, or ransomware.
What researchers haven’t seen before, however, are criminals building a brand new product, website and all, that looks legitimate on the surface but is actually completely malicious. Yet that is exactly what TrustConnect is.
Subscribe to a RAT
“At first, TrustConnect appeared to be another legitimate RMM tool that was being misused,” Proofpoint explained.
“Given the large number of existing remote management tools that threat actors can choose from and their prevalence in the threat landscape, it might have made sense.”
The fraudsters built a .com website and applied for a certificate, paid “thousands of dollars” and went through “additional levels of validation on behalf of the domain owner”. The certificate was revoked on February 6, but all files signed before that date remain valid, it said.
Businesses that don’t catch the trick will actually end up paying $300 a month to use RMM. What they get instead is a RAT backdoor that gives the attacker full control of the mouse and keyboard, as well as the ability to record and stream what’s on the victim’s screen. Furthermore, the tool provides all the usual RMM functions such as file transfer, command execution or user account control bypass.
While it’s impossible to know for sure, Proofpoint said it was “moderately confident” that TrustConnect was developed by a VIP customer of Redline, a popular infostealer.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
