Full Report
Cybersecurity researchers have disclosed details of a new dual-vector campaign that leverages stolen credentials to deploy legitimate Remote Monitoring and Management (RMM) software for persistent remote access to compromised hosts. "Instead of deploying custom viruses, attackers are bypassing security perimeters by weaponizing the necessary IT tools that administrators trust," KnowBe4 Threat
Analysis Summary
# Tool/Technique: LogMeIn Remote Monitoring and Management (RMM) Weaponization
## Overview
This technique involves a dual-vector campaign where initial credential theft (targeting Microsoft Outlook, Yahoo!, AOL.com via a Greenvelope phishing lure) is leveraged to install and configure legitimate Remote Monitoring and Management (RMM) software, specifically **LogMeIn Resolve (formerly GoTo Resolve)**, to establish persistent, trusted remote access to victim systems.
## Technical Details
- Type: Tool (Weaponization of Legitimate Software)
- Platform: Windows (Inferred by scheduled task usage)
- Capabilities: Establishes persistent remote access, runs services with unrestricted access, evades termination via scheduled tasks.
- First Seen: Based on article context, this specific multi-stage campaign was recently disclosed (Jan 2026 context).
## MITRE ATT&CK Mapping
Since the core activity is leveraging trusted administrative tools for malicious access post-compromise:
- **TA0003 - Persistence**
- T1543.003 - Create or Modify System Process: Windows Service
- T1053.005 - Scheduled Task/Job
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols (Implied C2 communication via RMM tunnel)
- **TA0006 - Credential Access**
- T1555.003 - Credentials from Web Browsers (Phishing leads to credential harvesting)
- **TA0005 - Defense Evasion**
- T1218 - Signed Binary Proxy Execution (The dropper binary "GreenVelopeCard.exe" is signed)
## Functionality
### Core Capabilities
- **Credential Harvesting:** Initial phase uses phishing emails disguised as Greenvelope invitations to steal external email credentials (Outlook, Yahoo!, AOL).
- **RMM Deployment:** Uses stolen email credentials to register for LogMeIn access tokens, followed by execution of a signed dropper (`GreenVelopeCard.exe`) containing a JSON configuration to silently install LogMeIn Resolve.
- **Persistent Access:** Modifies the RMM service settings to run with unrestricted access on Windows and establishes hidden scheduled tasks to relaunch the RMM program if manually stopped.
### Advanced Features
- **Use of Signed Binary:** The initial deployment executable (`GreenVelopeCard.exe`) is signed with a valid certificate, aiding in defense evasion and potentially fostering initial user trust.
- **Legitimate Tool Abuse (Living off the Land):** Bypasses security perimeters by leveraging trusted, whitelisted administrative software (LogMeIn RMM) as a backdoor, making detection difficult.
## Indicators of Compromise
- File Hashes: Not provided in the text.
- File Names: `GreenVelopeCard.exe` (Dropper/Loader)
- Registry Keys: Not explicitly mentioned, but modification of service settings is implied.
- Network Indicators: Connects to an attacker-controlled URL (Defanged: `attacker-controlled-url` for LogMeIn C2).
- Behavioral Indicators:
- Unauthorized installation of LogMeIn Resolve/GoTo Resolve.
- Creation of hidden scheduled tasks to maintain RMM startup.
- Service configuration adjustments for unrestricted RMM execution.
## Associated Threat Actors
The research was conducted by KnowBe4 Threat Labs. The specific threat actor utilizing this methodology is not named in the provided text, only the observation of their TTPs.
## Detection Methods
- **Signature-based detection:** Should monitor for the specific dropper file name (`GreenVelopeCard.exe`).
- **Behavioral detection:** Crucial focus area: Monitoring for:
1. Unauthorized registration/use of legitimate RMM platforms (LogMeIn/GoTo Resolve) from unusual contexts.
2. Modifications to RMM service configurations for persistence.
3. Creation of hidden scheduled tasks linked to remote access tools.
- **YARA rules:** Not provided in the text.
## Mitigation Strategies
- **Prevention measures:** Enforce strict Multi-Factor Authentication (MFA) on email services (Outlook, Yahoo, AOL) to neutralize credential theft via phishing.
- **Hardening recommendations:**
1. Monitor and restrict the installation and configuration changes of authorized RMM tools.
2. Implement application allow-lists where possible, or flag RMM installations originating outside IT-sanctioned channels.
3. Audit Windows Service configurations and scheduled tasks regularly for unexpected entries related to third-party remote access software.
## Related Tools/Techniques
- Other legitimate RMM tools frequently abused by threat actors (e.g., TeamViewer, AnyDesk, Splashtop).
- General use of Signed Binary Proxy Execution (T1218).
- Credential harvesting via highly targeted spearphishing (Greenvelope lure).