Cybersecurity researchers at AhnLab Security Intelligence Center (ASEC) have uncovered a sophisticated attack campaign leveraging legitimate Remote Monitoring and Management (RMM) tools to deploy backdoor malware on unsuspecting users’ systems.
The attacks abuse LogMeIn Resolve (GoTo Resolve) and PDQ Connect, transforming trusted administrative tools into weapons for data theft and remote system compromise.
While the initial infection vector remains unclear, ASEC researchers discovered that attackers lure victims through convincing fake websites masquerading as download portals for popular legitimate software.
These deceptive sites imitate official download pages for widely-used utilities, including Notepad++, 7-Zip, WinRAR, VLC Media Player, and even ChatGPT, but actually deliver the threat actor’s modified version of LogMeIn Resolve.
The malicious installers have been distributed under numerous disguised filenames designed to appear legitimate, including “notepad++.exe,” “7-zip.exe,” “winrar.exe,” “chatgpt.exe,” “OpenAI.exe,” and even “windows12_installer.exe.”
When users download and execute these files, they unknowingly install both the RMM tool and additional malware capable of stealing sensitive information.
LogMeIn Resolve is a legitimate RMM solution designed for IT professionals to provide remote support, patch management, and system monitoring.
However, its powerful capabilities make it an attractive target for cybercriminals seeking to bypass traditional security defenses.
Unlike conventional malware, RMM tools often evade detection by antivirus software and firewalls because they perform functions similar to legitimate administrative software.
The key to identifying threat actors lies within LogMeIn Resolve’s configuration file, specifically the “CompanyId” field, which contains the unique identifier of the administrator who created the installation package.
ASEC identified three distinct CompanyId values used in the Korean attack campaigns: 8347338797131280000, 1995653637248070000, and 4586548334491120000.
Once installed, attackers gain control through LogMeIn’s infrastructure, allowing them to execute PowerShell commands remotely and deploy additional malware payloads.
In addition to LogMeIn Resolve, threat actors have also weaponized PDQ Connect, another legitimate RMM tool offering software distribution, patch management, and remote control capabilities.
Similar to the LogMeIn attacks, PDQ Connect was abused to execute PowerShell commands that ultimately installed PatoRAT, a sophisticated backdoor malware.
The ultimate objective of these attacks is installing PatoRAT, a Delphi-developed backdoor with extensive data exfiltration and remote control capabilities.
Researchers identified Portuguese language strings within the malware’s code, suggesting possible Brazilian origins. PatoRAT’s configuration data is encrypted using 1-byte XOR encryption with key 0xAA and stored in the resource section.
Upon execution, PatoRAT collects comprehensive system information including CPU details, computer name, operating system version, memory usage, active windows, screen resolutions, and user privileges before transmitting this data to command-and-control servers.
The malware supports a wide range of malicious functions including mouse control, keylogging, screen capturing, browser credential theft, remote desktop access through HVNC technology, PowerShell command execution, and clipboard manipulation.
It can also install localtonet for suspected port forwarding operations and supports plugin architecture for extended functionality.
Users should only download software from official vendor websites and verify digital signatures and version information before installation.
Organizations should maintain updated operating systems and security solutions, monitor for unauthorized RMM tool installations, and implement network-level controls to detect suspicious remote access activities.
Security teams should specifically watch for the identified CompanyId values and PatoRAT indicators of compromise within their environments to detect potential infections early.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
