Attackers are increasingly bypassing traditional malware defenses by weaponizing legitimate remote monitoring and management tools to establish persistent backdoor access inside enterprise environments, according to a new report out today from KnowBe4 Threat Labs.
The report details a recent sophisticated dual-vector campaign dubbed “Skeleton Key” that shows a growing trend in which threat actors avoid deploying custom malware altogether but are instead abusing trusted information technology software already widely deployed across corporate networks. Essentially, rather than breaking down the front door, attackers steal the master key by compromising user credentials and repurposing enterprise-grade remote access tools as covert persistence mechanisms.
According to the researchers, the campaign unfolds in two distinct stages: credential harvesting followed by system compromise.
The credential harvesting stage sees the attackers sending phishing emails disguised as legitimate Greenvelope invitations in an attempt to trick potential victims. Greenvelope is a service used for corporate events and formal communications.
Victims who then click the fake Greenvelope link in the phishing email are redirected to a spoofed login page that captures their credentials while closely mimicking the real service.
The system compromise stage sees the attackers use the stolen credentials to generate legitimate access tokens for remote monitoring and management platforms. The attackers deploy a file named “GreenVelopeCard.exe,” that installs tools such as GoTo Resolve and LogMeIn to allow the attackers to blend malicious activity into normal enterprise traffic while evading signature-based detection.
KnowBe4’s analysis indicates that the dropper embeds a configuration file that instructs the remote monitoring and management software to install quietly, connect to attacker-controlled accounts and operate with full remote control capabilities. The idea here is that by using officially signed software and production infrastructure, the attackers can hide in plain sight and, in doing so, make their activity almost indistinguishable from legitimate IT operations.
The attackers also use registry manipulation, abuse Windows services and employ hidden scheduled tasks to ensure the remote access persists even if administrators detect the activity and attempt to shut it down. To further avoid detection, the attackers use a command-and-control strategy that routes malicious traffic through GoTo’s official infrastructure using encrypted HTTPS, meaning that communications blend with normal enterprise network flows and are not detected by many existing tools.
The researchers conclude by arguing that this sort of attack underscores the need for organizations to rethink how they defend against modern threats. Security teams are advised to monitor for abnormal use of legitimate tools, unauthorized remote monitoring and management deployments and suspicious identity activity, rather than only focusing on malware detection alone.
Image: SiliconANGLE/Ideogram
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
