(huntress.com) Threat Actors Exploit Tiflux RMM in Phishing Campaigns for Stealthy Persistence and Privilege Escalation
-
(huntress.com) Threat Actors Exploit Tiflux RMM in Phishing Campaigns for Stealthy Persistence and Privilege Escalation
Threat actors are actively exploiting Tiflux, a commercial RMM tool, in phishing campaigns for initial access and persistence since late February. The campaign chains Tiflux with UltraVNC, Splashtop, and ScreenConnect for covert operations.
In brief - Huntress researchers identified a surge in incidents involving Tiflux RMM abuse via phishing. The installer includes vulnerable components like HwRwDrv.sys, enabling privilege escalation and system compromise. Organizations must monitor RMM tool usage to prevent unauthorized access.
Technically - The attack begins with a phishing email leading to a CloudFlare CAPTCHA-protected page delivering a malicious MSI installer. The installer deploys TiAgent, TiPeerToPeer, and outdated UltraVNC (v1.2.0.1) with hardcoded credentials. Vulnerable drivers (HwRwDrv.sys) and registry modifications disable security notifications, while additional RMM tools (Splashtop, ScreenConnect) facilitate credential theft and system profiling. Expired certificates and SSH host keys further indicate malicious intent.
-
R relay@relay.infosec.exchange shared this topic
