Malware-as-a-Service Operators Pose as Legitimate RMM Providers to Evade Detection
TrustConnect: A Malware-as-a-Service Platform
A newly discovered malware-as-a-service (MaaS) platform, dubbed TrustConnect, has been posing as a legitimate remote monitoring and management (RMM) tool. Despite its innocuous appearance, TrustConnect allows customers to launch malicious campaigns with ease. The platform was taken down earlier this month, only to resurface under a different brand.
Features and Functionality
TrustConnect’s website, which appears to have been created with the aid of artificial intelligence, offers a user-friendly interface for customers to manage infected devices. For a monthly fee of $300, paid in cryptocurrency, users can access a command and control (C2) dashboard to view and manage compromised devices, execute commands, transfer files, and even assume complete control of a victim’s machine.
The platform also provides options for generating installers that masquerade as popular software applications, such as Zoom, Microsoft Teams, Adobe Reader, or Google Meet. These installers come complete with authentic brand icons and metadata, making them nearly indistinguishable from legitimate software. Additionally, TrustConnect offers installers that imitate documents related to business proposals or government entities, such as the Social Security Administration.
Research and Discovery
Researchers at Proofpoint discovered that TrustConnect’s techniques and delivery methods overlap with those commonly used in RMM campaigns by multiple threat actors. The platform also offers “Quick Deploy Commands,” which are PowerShell scripts that can be used to install the malware, likely intended for use in social engineering schemes. Furthermore, users can integrate TrustConnect with Telegram bots to receive notifications when devices connect or disconnect.
The TrustConnect campaign began on January 27, when a legitimate extended validation (EV) certificate was purchased under the name TrustConnect Software PTY LTD. The certificate was used to sign the malware, which was then distributed via email. Lure themes included invitations to bid on business proposals and fake software updates.
Disruption and Reemergence
On February 6, TrustConnect’s EV certificate was revoked due to efforts by Proofpoint and researchers at The Cert Graveyard. Although the website stopped accepting new subscriptions, existing customers could continue using the MaaS, as previously signed malware files remained valid. By February 17, Proofpoint had worked with industry partners to take down the TrustConnect website, disrupting the service’s infrastructure and operations.
However, the service soon reemerged with a new payload called “DocConnect” or “SHIELD OS v1.0,” and a new C2 panel built using a React Single Page Application (SPA) with a Supabase backend. Researchers noted that the Telegram handle “zacchyy09,” which prospective customers were instructed to contact, was listed as a VIP customer of the Redline infostealer by Dutch National Police and other law enforcement partners.
Conclusion
The disruption of MaaS operations like Redline, Lumma Stealer, and Rhadamanthys has created opportunities for malware creators to fill gaps in the cybercrime market. While these disruptions impose costs on adversaries, emerging malware demonstrates that threat actors will continue to seek new ways to compromise victims.
About Author
English