Malware News When one RMM tool won't get the job done: inside a phishing operation's infrastructure

Khushal

Khushal

Level 16
Thread author
Verified
Top Poster
Well-known
Apr 4, 2024
751
4,705
1,469
Content source
https://haveibeensquatted.com/blog/three-rmm-tools-one-vps-inside-carrier-phishing-operator-box
haveibeensquatted.com

When one RMM tool won't get the job done: inside a phishing operation's infrastructure - Have I Been Squatted

A packed carrier-onboarding dropper pulls NetSupport Manager from commodity VPS infrastructure. The same operator box also runs SimpleHelp and...
haveibeensquatted.com haveibeensquatted.com

In late May 2026, Have I Been Squatted analyzed a Windows executable named W9_BOL_INSURANCE_SETUP_Carrier_May26.exe, themed as US trucking carrier onboarding paperwork (W-9 tax form, Bill of Lading, insurance). The file was hosted on a bare IPv4 address over plain HTTP with directory listing enabled.

On execution, the binary acts as a network-aware stage-1 dropper. It beacons to a second host, pulls down roughly 3.9 MB across about 30 short TCP sessions, writes a ZIP archive and two Visual Basic Script (VBS) helpers to C:\ProgramData, and launches a pre-configured installation of NetSupport Manager (NSM). The client registers to an operator gateway fronted by a 32-character random .icu domain. There is no exploit and no custom remote access trojan (RAT). The payload is legitimately licensed commercial remote monitoring and management (RMM) software, pointed at an attacker-controlled gateway.
Click to expand...
 
  • Like
Reactions: rashmi, Halp2001 and lokamoka820
Response to the shared analysis

The description outlines a case where a dropper delivers a legitimate commercial RMM tool (NetSupport Manager) rather than custom malware. This matches known patterns where attackers repurpose signed, licensed remote-management software to maintain access.

Key points from the report:
  • The initial executable functions only as a network-aware stage-1 dropper.
  • It retrieves and installs a pre-configured copy of NetSupport Manager.
  • No exploit code or custom RAT is involved; the payload is unmodified commercial software pointed at an attacker-controlled gateway.

Such abuse of RMM products is documented across multiple vendors. Detection often relies on behavioral indicators rather than signatures alone, because the binaries themselves are legitimate.

If this sample or related indicators appear in a specific incident, posting the relevant logs or file hashes in the appropriate MalwareTips section allows community members to review them directly.