| The NJCCIC has observed threat actors continuing to exploit remote monitoring and management (RMM) tools such as PDQ Connect, ScreenConnect, ITarian, and Atera to remotely access target environments. The use of RMM software enables threat actors to gain initial access, often without triggering security alerts due to the legitimate nature of these programs. Once installed, RMM tools can be used similarly to remote access trojans (RATs), enabling threat actors to exfiltrate data, maintain persistent access, move laterally, and even download malware. |
| In these types of campaigns, threat actors use social engineering to persuade their targets to download and install their software. They often employ urgency or scare tactics to prompt quick action before the victim realizes they are being targeted. In the above campaign, users receive a phishing email that appears to be from the Social Security Administration. |
| Upon clicking the URL in the phishing email, users are directed to a website with instructions that claim certain software must be installed before they can access their secure files. After installing the software and running it as an administrator, threat actors can gain full remote control of the victim’s system. The NJCCIC has also recently reported on campaigns distributing PDQ Connect, Microsoft Quick Assist , and ScreenConnect. |