Article Details
Scrape Timestamp (UTC): 2026-01-23 11:23:18.955
Source: https://thehackernews.com/2026/01/phishing-attack-uses-stolen-credentials.html
Original Article Text
Click to Toggle View
Phishing Attack Uses Stolen Credentials to Install LogMeIn RMM for Persistent Access. Cybersecurity researchers have disclosed details of a new dual-vector campaign that leverages stolen credentials to deploy legitimate Remote Monitoring and Management (RMM) software for persistent remote access to compromised hosts. "Instead of deploying custom viruses, attackers are bypassing security perimeters by weaponizing the necessary IT tools that administrators trust," KnowBe4 Threat Labs researchers Jeewan Singh Jalal, Prabhakaran Ravichandhiran, and Anand Bodke said. "By stealing a 'skeleton key' to the system, they turn legitimate Remote Monitoring and Management (RMM) software into a persistent backdoor." The attack unfolds in two distinct waves, where the threat actors leverage fake invitation notifications to steal victim credentials, and then leverage those pilfered credentials to deploy RMM tools to establish persistent access. The bogus emails are disguised as an invitation from a legitimate platform called Greenvelope, and aim to trick recipients into clicking on a phishing URL that's designed to harvest their Microsoft Outlook, Yahoo!, AOL.com login information. Once this information is obtained, the attack moves to the next phase. Specifically, this involves the threat actor registering with LogMeIn using the compromised email to generate RMM access tokens, which are then deployed in a follow-on attack through an executable named "GreenVelopeCard.exe" to establish persistent remote access to victim systems. The binary, signed with a valid certificate, contains a JSON configuration that acts as a conduit to silently install LogMeIn Resolve (formerly GoTo Resolve) and connect to an attacker-controlled URL without the victim's knowledge. With the RMM tool now deployed, the threat actors weaponize the remote access to alter its service settings so that it runs with unrestricted access on Windows. The attack also establishes hidden scheduled tasks to automatically launch the RMM program even if it's manually terminated by the user. To counter the threat, it's advised that organizations monitor for unauthorized RMM installations and usage patterns.
Daily Brief Summary
Cybersecurity researchers exposed a dual-vector phishing campaign leveraging stolen credentials to deploy Remote Monitoring and Management (RMM) software for persistent remote access to compromised systems.
Attackers bypass traditional security measures by using legitimate IT tools, turning them into backdoors, rather than deploying custom malware.
The attack begins with fake emails disguised as invitations from Greenvelope, tricking users into providing credentials for platforms like Microsoft Outlook and Yahoo!.
Stolen credentials are used to register with LogMeIn, generating RMM access tokens, which are deployed via an executable to establish remote access.
The RMM tool, once installed, is manipulated to run with unrestricted access, and hidden scheduled tasks ensure its persistence even after manual termination attempts.
Organizations are advised to monitor for unauthorized RMM installations and unusual usage patterns to detect and mitigate such threats effectively.
This incident underlines the importance of vigilance against phishing tactics and the need for robust monitoring of IT tools within corporate environments.