- Huntress uncovered a phishing campaign that provided legitimate RMM tools (Tiflux, UltraVNC, Splashtop, ScreenConnect) to gain persistence and exfiltrate business data
- Attackers lure victims with fake “Network Solutions” service agreement emails, then exploit a vulnerable driver (HwRwDrv.x64) for privilege escalation
- Evidence points to Brazilian infrastructure and targets where defenses depend on rigorous RMM auditing, asset inventories and log reviews against LOLRMM databases
Cybercriminals abuse a whole range of legitimate programs, including Tiflux, UltraVNC, Splashtop, and ScreenConnect to take control of corporate computers, establish persistence, and continuously exfiltrate sensitive data. This is according to security researchers Huntress, who detailed the new campaign in an in-depth research paper.
The attack starts with a carefully crafted phishing email, usually with the subject line “updated service agreement from Network Solutions”. The email claims that Network Solutions has changed its pricing and services and instructs the target to visit a page where they can review and accept the new terms.
Victims who click on the provided link are first asked to complete a CAPTCHA, likely to filter out bots and automated analysis. They are then prompted to download a “secured document” which is simply an installer for TIFlux, a legitimate commercial (albeit fringe) remote monitoring and management (RMM) tool.
Attacks since the end of February
Along with Tiflux, victims also get other tools, including 7zip, an outdated version of the UltraVNC remote access tool, and a vulnerable driver called HwRwDrv.x64. The latter seems to be the key here as it allows for potential privilege escalation.
The attackers then use Tiflux to install either Splashtop or ScreenConnect (or, in some cases, both) before proceeding with the main objective – sending live screenshots, running system tools, establishing persistence and exfiltrating data.
Huntress saw the attacks in the wild at the end of February this year. The report does not mention any specific threat actor groups or names, but it does indicate that TIFlux is a Brazilian tool and that the threat actor’s infrastructure leverages a server domain that ends in a Brazilian country-coded top-level domain.
In other words, everything points to this being a Brazilian striker who goes after Brazilian goals.
Organizations can defend against RMM abuse by establishing a comprehensive asset inventory of all installed applications, implementing strict application controls, regularly auditing authorized RMMs and cross-referencing them against databases such as LOLRMM to find tools commonly abused by threat actors, and reviewing logs of RMM activity.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
