Full Report
A new spam campaign is targeting Brazilian users with a clever twist — abusing the free trial period of trusted remote monitoring tools and the country’s electronic invoice system to spread malicious agents.
Analysis Summary
# Tool/Technique: N-able RMM Remote Access
## Overview
A commercially available Remote Monitoring and Management (RMM) tool being abused by threat actors, specifically Initial Access Brokers (IABs), to maintain persistent control over compromised systems following a spam-based initial compromise against Brazilian users.
## Technical Details
- Type: Tool (Legitimate RMM solution being abused)
- Platform: Windows (Implied by RMM execution context and standard operating environment for such tools)
- Capabilities: Full remote access capabilities, including remote desktop, remote command execution, screen streaming, keystroke capture, and remote shell access, available even on trial versions.
- First Seen: At least January 2025 (for this specific campaign context).
## MITRE ATT&CK Mapping
This analysis focuses primarily on the objectives associated with the *use* and *persistence* enabled by the compromised tool, characteristic of Initial Access Brokers (IABs).
- **TA0001 - Initial Access**
- **T1566 - Phishing**
- T1566.001 - Spearphishing Attachment (via attachment in spam)
- **TA0003 - Persistence**
- **T1543.003 - Windows Service** (RMM tools often install services for persistence)
- **TA0011 - Command and Control**
- **T1071 - Application Layer Protocol** (Likely uses standard web/HTTPS traffic inherent to RMM functionality)
- **TA0010 - Exfiltration** (Implied goal for IABs selling access)
## Functionality
### Core Capabilities
The tool, under normal operation and trial status, provides the threat actor with comprehensive system access:
- Remote desktop connectivity.
- Remote command execution.
- Screen streaming.
- Keystroke capture.
### Advanced Features
- The trial version provides a "full set of features" only constrained by a 15-day operational limit.
- The RMM agent is digitally signed, potentially aiding in bypassing lower-level security checks.
- Installation often occurs after an initial compromise where a user is tricked into running a specific malicious installer downloaded from Dropbox.
## Indicators of Compromise
*Note: Indicators listed below are specifically related to files dropped during the initial spam campaign or C2 infrastructure observed by Talos.*
- File Hashes:
- **SHA256:**
- `03b5c76ad07987cfa3236eae5f8a5d42cef228dda22b392c40236872b512684e`
- `0759b628512b4eaabc6c3118012dd29f880e77d2af2feca01127a6fcf2fbbf10`
- `080e29e52a87d0e0e39eca5591d7185ff024367ddaded3e3fd26d3dbdb096a39`
- `0de612ea433676f12731da515cb16df0f98817b45b5ebc9bbf121d0b9e59c412`
- `1182b8e97daf59ad5abd1cb4b514436249dd4d36b4f3589b939d053f1de8fe23`
- `14c1cb13ffc67b222b42095a2e9ec9476f101e3a57246a1c33912d8fe3297878`
- `2850a346ecb7aebee3320ed7160f21a744e38f2d1a76c54f44c892ffc5c4ab77`
- `4787df4eea91d9ceb9e25d9eb7373d79a0df4a5320411d7435f9a6621da2fd6b`
- `51fa1d7b95831a6263bf260df8044f77812c68a9b720dad7379ae96200b065dd`
- `527a40f5f73aeb663c7186db6e8236eec6f61fa04923cde560ebcd107911c9ff`
- `57a90105ad2023b76e357cf42ba01c5ca696d80a82f87b54aea58c4e0db8d683`
- `63cde9758f9209f15ee4068b11419fead501731b12777169d89ebb34063467ea`
- `79b041cedef44253fdda8a66b54bdd450605f01bbb77ea87da31450a9b4d2b63`
- `a2c17f5c7acb05af81d4554e5080f5ed40b10e3988e96b4d05c4ee3e6237c31a`
- `b53f9c2802a0846fc805c03798b36391c444ab5ea88dc2b36bffc908edc1f589`
- `c484d3394b32e3c7544414774c717ebc0ce4d04ca75a00e93f4fb04b9b48ecef`
- `ca11eb7b9341b88da855a536b0741ed3155e80fc1ab60d89600b58a4b80d63a5`
- `d1efebcca578357ea7af582d3860fa6c357d203e483e6be3d6f9592265f3b41c`
- `e2171735f02f212c90856e9259ff7abc699c3efb55eeb5b61e72e92bea96f99c`
- `e34b8c9798b92f6a0e2ca9853adce299b1bf425dedb29f1266254ac3a15c87cd`
- `ebdefa6f88e459555844d3d9c13a4d7908c272128f65a12df4fb82f1aeab139f`
- `f52b4d81c73520fd25a2cc9c6e0e364b57396e0bb782187caf7c1e49693bebbf`
- `f5efd939372f869750e6f929026b7b5d046c5dad2f6bd703ff1b2089738b4d9c`
- `F68ae2c1d42d1b95e3829f08a516fb1695f75679fcfe0046e3e14890460191cf`
- `a71e274fc3086de4c22e68ed1a58567ab63790cc47cd2e04367e843408b9a065`
- File Names:
- `AGENT_NFe_.exe`
- `Boleto_NFe_.exe`
- `Eletronica_NFe_.exe`
- `Nf-e.exe`
- `NFE_.exe`
- `NOTA_FISCAL_NFe_.exe`
- Registry Keys: Not specified in the context.
- Network Indicators:
- `hxxps://upload1[.]am[.]remote[.]management/`
- `hxxps://upload2[.]am[.]remote[.]management/`
- `hxxps://upload3[.]am[.]remote[.]management/`
- `hxxps://upload4[.]am[.]remote[.]management/`
- `198[.]45[.]54[.]34[.]bc[.]googleusercontent[.]com` (Note: These URLs point to the RMM provider's infrastructure, not actor-controlled C2, but may indicate traffic related to deployment).
- Behavioral Indicators:
- Successful installation/activation of N-able or PDQ Connect trial accounts used for remote access.
- Subsequent installation of additional RMM tools and removal of security software after initial compromise by IABs.
## Associated Threat Actors
- Initial Access Brokers (IABs) abusing free trial periods of RMM software.
- Actors targeting Portuguese-speaking users in Brazil, often sending spam disguised as NF-e (electronic invoice) notifications or financial/carrier overdue bills.
## Detection Methods
- Signature-based detection: Use provided file hashes for known RMM installers deployed illicitly.
- Behavioral detection: Monitor for the execution of RMM installers derived from suspicious sources (like Dropbox links in spam). Look for post-compromise activity involving the removal of security tools or the installation of secondary RMM agents.
- YARA rules: Not explicitly provided in the text.
## Mitigation Strategies
- Security training focused on identifying sophisticated phishing lures using local financial/governmental document themes (NF-e).
- Strict network controls on accessing cloud storage links (e.g., Dropbox) delivered via unsolicited email.
- Implement strict application whitelisting or controls to prevent the execution of unsigned or unapproved RMM/remote access tools, even if they have valid digital signatures from common vendors (as these accounts may be compromised trials).
- For organizations using N-able or PDQ Connect: Monitor for rapid creation or decommissioning of trial accounts utilizing free email providers (Gmail, ProtonMail).
## Related Tools/Techniques
- **PDQ Connect:** Another RMM tool observed being abused in the same campaign.
- **Screen Connect:** An additional RMM tool installed post-compromise in some observed cases.
- **Legitimate RMM Tools:** General category of tools often hijacked by threat actors for C2 and persistence.