As cybersecurity threats continue to evolve, we’re joined by Dominic Jainy, an IT professional with deep expertise in artificial intelligence, machine learning, and blockchain. Dominic has a keen interest in how emerging technologies intersect with cybersecurity challenges, making him the perfect person to shed light on a troubling trend: hackers exploiting remote monitoring and management (RMM) tools like LogMeIn and PDQ Connect to deploy malware. In this interview, we dive into the mechanics of these attacks, the deceptive tactics used by cybercriminals, the nature of the malware being spread, and the broader implications for users and organizations. Let’s explore how trusted tools are being weaponized and what can be done to stay safe.
Can you explain what remote monitoring and management tools are and how they’re typically used in legitimate scenarios?
Absolutely. Remote monitoring and management tools, or RMMs, are software solutions designed to help IT professionals manage and troubleshoot systems from a distance. Tools like LogMeIn and PDQ Connect allow admins to access devices, deploy updates, monitor performance, and fix issues without being physically present. They’re widely used by businesses for managing employee workstations, servers, or even customer systems. Essentially, they’re a lifeline for IT support, saving time and resources by enabling remote control and automation.
Why do you think cybercriminals find RMM tools so appealing for spreading malware?
RMM tools are a goldmine for hackers because they’re inherently trusted by users and security systems. These programs often have deep access to a system—think full control over files, processes, and network activity—which is exactly what attackers want. Plus, since RMM tools are legitimate software, they’re less likely to trigger alarms in antivirus programs or firewalls. Hackers can hide their malicious intent behind the guise of a trusted application, making it easier to slip past defenses and gain a foothold on a victim’s device.
How are attackers tricking users into downloading malware through these tools?
The attackers are incredibly crafty with their approach. They set up fake websites that mimic official download pages for popular software like Notepad++, 7-Zip, or even ChatGPT. Unsuspecting users think they’re getting the real deal, but instead, they download a modified version of an RMM tool like LogMeIn Resolve or PDQ Connect. Once installed, it connects directly to the attacker’s command server, giving them full access to the system. It’s a classic bait-and-switch tactic that preys on trust and familiarity.
What makes these fake download websites look so convincing to the average person?
These fake sites are designed to be nearly indistinguishable from the real ones. They often use similar branding, logos, and layouts to mimic official pages. The URLs might be slightly off, but most users don’t scrutinize web addresses closely. They also host downloads with familiar names like notepad++.exe or winrar.exe, which lowers suspicion. To the average person just looking to install a utility, everything appears legitimate until it’s too late.
Can you walk us through what happens once a user installs one of these malicious versions of RMM software?
Sure. Once the modified RMM software is installed, it establishes a direct connection to the attacker’s command-and-control server. From there, hackers can remotely execute commands, often using tools like PowerShell to download additional malware. In this specific campaign, they deploy a backdoor called PatoRAT, which allows them to spy on the system, steal data, and even install more malicious tools. The victim’s computer essentially becomes an open door for the attacker to do whatever they want.
What can you tell us about the deceptive file names used in these attacks?
The attackers use file names that sound incredibly legitimate to trick users into opening them. We’re talking names like Microsoft.exe, OpenAI.exe, or even windows12_installer.exe. These names are chosen deliberately to evoke trust or curiosity. Most people see “Microsoft” and assume it’s a safe system file, or they might think “OpenAI” relates to something trendy like AI tools. It’s a psychological trick to bypass the user’s natural caution and get them to click without a second thought.
According to research, who might be behind these attacks, and what does that tell us about their organization?
Security researchers have identified at least three distinct threat actors involved in this campaign. Each group uses unique company identification numbers embedded in the LogMeIn configuration files to control infected systems. The presence of these specific IDs suggests a level of coordination and customization in their approach. It’s not just a lone hacker throwing out random attacks; these are likely organized groups with defined roles, tools, and infrastructure, which makes them harder to track and stop.
Let’s talk about PatoRAT, the malware being deployed. What kind of damage can it do once it’s on a system?
PatoRAT is a nasty piece of work. It’s a backdoor written in Delphi that collects a wide range of data from the infected system—things like the computer name, username, OS details, memory usage, screen resolution, and even a list of active windows. Beyond spying, it can perform harmful actions like keylogging to capture everything typed, stealing browser passwords, taking screenshots, controlling the mouse, and even setting up port-forwarding tools to open more attack vectors. It’s a comprehensive toolkit for attackers to exploit a victim fully.
How does PatoRAT hide the data it steals to avoid detection?
PatoRAT uses a relatively simple but effective method to conceal the data it collects. It encrypts the information with a basic XOR cipher using the key 0xAA and then stores it in the resource section of the malware under a label like “APPCONFIG.” This encryption isn’t sophisticated, but it’s enough to obscure the data from casual inspection and make it harder for security tools to immediately flag what’s happening. It’s a low-effort way to add a layer of stealth to their operation.
There are some hints about where PatoRAT’s developers might be from. Can you elaborate on that?
Interestingly, researchers found Portuguese-language strings embedded in PatoRAT’s code. While this isn’t definitive proof, it suggests that the developers might come from a Portuguese-speaking region. Code often reflects the native language or cultural context of its creators, so these strings could be a clue about their background. Of course, it’s also possible they’re using this as a red herring to throw off investigators, but it’s a notable detail nonetheless.
What is your forecast for the future of attacks involving trusted tools like RMM software?
I think we’re going to see more of these attacks as cybercriminals continue to exploit trust in legitimate software. RMM tools, productivity apps, and even cloud services are prime targets because they’re so widely used and often have privileged access to systems. As security tools get better at detecting traditional malware, attackers will lean harder on these “living off the land” tactics—using trusted programs to do their dirty work. My forecast is that we’ll see increased sophistication in how these tools are weaponized, alongside a growing need for user education and stricter verification processes to prevent falling for fake downloads. It’s a cat-and-mouse game, and unfortunately, the mice are getting smarter.