In early 2025, cybersecurity researchers at Cisco Talos uncovered a sophisticated spam campaign targeting Portuguese-speaking users in Brazil. This campaign exploited legitimate Remote Monitoring and Management (RMM) tools, such as N-able and PDQ Connect, to gain unauthorized access to victims’ systems. By masquerading as official communications from financial institutions and telecom providers, the attackers aimed to deceive users into installing these tools, granting them full control over the compromised machines. This article delves into the intricacies of the campaign, the tactics employed by the threat actors, and provides actionable advice to mitigate such threats.
The campaign began with phishing emails crafted to appear as legitimate communications from Brazilian financial institutions or telecom providers. These emails claimed to contain overdue bills or electronic receipts, known as Nota Fiscal Eletrônica (NF-e), a common electronic invoicing system in Brazil. The messages included links to Dropbox-hosted files, enticing recipients to download what they believed were invoices.
Malicious Payload: RMM Tools
Upon clicking the links, users downloaded executable files with names like “AGENT_NFe_.exe” or “Boleto_NFe_.exe.” These executables installed legitimate RMM tools—primarily N-able Remote Access and, in some cases, PDQ Connect. These tools, designed for IT administrators to manage systems remotely, were repurposed by the attackers to establish persistent access to victims’ machines.
Exploitation of Trial Versions
The threat actors exploited the free trial periods offered by these RMM tools. By creating accounts using free email services like Gmail or Proton Mail, they avoided the need for stolen credentials. Cisco Talos observed that accounts older than 15 days were disabled, indicating the use of trial versions rather than compromised accounts.
Post-Compromise Activities
After establishing access, the attackers often installed additional RMM tools and removed security software from the compromised systems. This behavior aligns with tactics employed by Initial Access Brokers (IABs), who infiltrate systems and sell access to other cybercriminals, including ransomware operators and state-sponsored actors.
Technical Insights
Capabilities of Abused RMM Tools
The RMM tools provided the attackers with extensive capabilities, including:
- Remote desktop access
- Command execution
- Screen streaming
- Keystroke logging
- File management
These functionalities allowed the attackers to monitor and control infected systems comprehensively.
Stealth and Evasion
The network traffic generated by these RMM tools resembled legitimate HTTPS traffic, making it difficult to detect. For instance, N-able Remote Access communicated with domains like “upload1.am.remote.management,” hosted on Amazon Web Services (AWS). Since these domains are used by legitimate customers, distinguishing malicious activity required careful analysis.
Impact and Attribution
Targeted Victims
The campaign primarily targeted C-level executives and personnel in finance and human resources across various sectors, including education and government. By focusing on individuals with access to sensitive information, the attackers maximized the potential value of the compromised systems.
Attribution to IABs
Cisco Talos assessed with high confidence that the threat actors functioned as Initial Access Brokers. Their objective was to establish a network of compromised machines and sell access to other cybercriminals. This model has become increasingly prevalent, as it allows for specialization and efficiency in the cybercrime ecosystem.
Preventive Measures: 10 Actionable Tips
- Employee Education: Conduct regular training sessions to help employees recognize phishing emails and understand the risks associated with unsolicited attachments or links.
- Email Filtering: Implement advanced email filtering solutions to detect and block phishing attempts before they reach end-users.
- Application Whitelisting: Restrict the installation of software to approved applications, preventing unauthorized RMM tools from being installed.
- Multi-Factor Authentication (MFA): Enforce MFA across all systems to add an extra layer of security, making unauthorized access more difficult.
- Regular Software Updates: Ensure all systems and applications are up-to-date with the latest security patches to mitigate known vulnerabilities.
- Network Monitoring: Continuously monitor network traffic for unusual patterns that may indicate malicious activity, such as unexpected remote connections.
- Endpoint Protection: Deploy robust endpoint security solutions capable of detecting and responding to threats in real-time.
- Access Controls: Implement strict access controls, granting users the minimum necessary permissions to perform their duties.
- Incident Response Plan: Develop and regularly update an incident response plan to ensure swift action in the event of a security breach.
- Vendor Management: Regularly review and manage third-party vendors’ access to your systems, ensuring they adhere to your security policies.
Conclusion
The abuse of legitimate RMM tools in this Brazilian spam campaign underscores the evolving tactics of cybercriminals. By leveraging tools designed for IT administration, attackers can bypass traditional security measures and maintain persistent access to compromised systems. Organizations must adopt a proactive and layered security approach, combining employee education, robust technical controls, and vigilant monitoring to defend against such sophisticated threats.
