Phishing Campaign Weaponizes Legitimate LogMeIn RMM for System Persistence

The Rise of "Tool-Based" Backdoors

Researchers have uncovered a "Dual-Vector" campaign that uses stolen credentials to deploy LogMeIn (GoTo Resolve)—a legitimate IT management tool—for malicious remote access. Kian Technologies highlights that these attacks are harder to detect because they use "Trusted" software.

The Attack Workflow

• Phase 1: Credential Theft: Phishing emails disguised as "Greenvelope" invitations trick users into logging into fake Outlook or Yahoo pages.
• Phase 2: RMM Deployment: Using stolen credentials, attackers register with LogMeIn and deploy a signed binary, GreenVelopeCard.exe.
• Phase 3: Persistence: The tool is configured to run as a system service with hidden scheduled tasks, ensuring it restarts even if the user terminates it.

Defense Strategies

To counter these "Skeleton Key" attacks, organizations must move beyond simple antivirus. Kian Technologies recommends:

• MFA Implementation: Multi-factor authentication is the only way to stop stolen credentials from being used.
• RMM Monitoring: Use EDR tools to flag any unauthorized installations of LogMeIn, AnyDesk, or ScreenConnect.
• Binary Whitelisting: Restrict the execution of new binaries unless they are pre-approved by the IT department.

Become a Malware Analysis Expert As hackers switch to modern languages like Golang to build evasive tools, the industry needs experts who can deconstruct and stop these threats. Join the Best Ethical Hacking Institute in Bhilai & Raipur: Learn Malware Analysis, Reverse Engineering, and Advanced Threat Hunting. Enroll now to start your journey in Cybersecurity!