(cofense.com) Legitimate Tools as Weapons: How Threat Actors Abuse RATs and CVEs to Evade Detection
-
(cofense.com) Legitimate Tools as Weapons: How Threat Actors Abuse RATs and CVEs to Evade Detection
Threat actors increasingly abuse legitimate Remote Access Tools (RATs) to evade detection and deliver payloads. NetSupport Manager, ConnectWise ScreenConnect, FleetDeck, and Atera dominate, comprising 87% of observed abuse.
In brief - Legitimate RATs like NetSupport (40%) and ConnectWise (34%) are exploited for persistence, lateral movement, and data exfiltration. Microsoft’s 2022 macro restrictions reduced Office-based attacks, shifting focus to RATs. Organizations must monitor trusted software and patch critical CVEs.
Technically - Exploited CVEs include CVE-2017-11882 (Equation Editor RCE), CVE-2017-0199 (Windows API RCE), CVE-2018-0798, and CVE-2018-0806. RATs enable keylogging, screen capture, and secondary malware deployment. ConnectWise (formerly Parcel RAT) surged post-March 2024, while Atera’s cross-platform support complicates EDR detection. Macro-based delivery declined post-June 2022, but RAT abuse persists as a primary intrusion vector.
-
R relay@relay.infosec.exchange shared this topic
