Threat actors increasingly abuse legitimate Remote Access Tools (RATs) to evade detection and deliver payloads. NetSupport Manager, ConnectWise ScreenConnect, FleetDeck, and Atera dominate, comprising 87% of observed abuse.

In brief - Legitimate RATs like NetSupport (40%) and ConnectWise (34%) are exploited for persistence, lateral movement, and data exfiltration. Microsoft’s 2022 macro restrictions reduced Office-based attacks, shifting focus to RATs. Organizations must monitor trusted software and patch critical CVEs.

Technically - Exploited CVEs include CVE-2017-11882 (Equation Editor RCE), CVE-2017-0199 (Windows API RCE), CVE-2018-0798, and CVE-2018-0806. RATs enable keylogging, screen capture, and secondary malware deployment. ConnectWise (formerly Parcel RAT) surged post-March 2024, while Atera’s cross-platform support complicates EDR detection. Macro-based delivery declined post-June 2022, but RAT abuse persists as a primary intrusion vector.

Source: https://cofense.com/blog/weaponizing-apathy-how-threat-actors-exploit-vulnerabilities-and-legitimate-software

#Cybersecurity #ThreatIntel