New malware-as-a-service fronts as RMM provider

A new malware-as-a-service (MaaS) remote access trojan (RAT) called TrustConnect — which was taken down earlier this month but later reemerged under a different brand — presents itself as a legitimate remote monitoring and management (RMM) tool, but lets customers easily launch malicious campaigns, Proofpoint revealed Thursday.

Proofpoint found that the TrustConnect website, which appears to have been created with the assistance of AI, offers a front-end for customers to sign up, pay and then log-in to a command-and-control (C2) panel for the MaaS.

Customers pay $300-a-month in cryptocurrency for the service and can use the C2 dashboard to view and manage infected devices, run commands, transfer files, or assume complete keyboard-and-mouse control of a victim’s machine.

TrustConnect can also use the panel to generate installers designed to impersonate specific brands such as Zoom, Microsoft Teams, Adobe Reader, or Google Meet, complete with brand icons and metadata.

There are also options for installers that imitate documents related to business proposals, government entities like the Social Security Administration, or TrustConnect-branded installers that present the download as a legitimate RMM.

"Although TrustConnect only masqueraded as a legitimate RMM [in this case], the lures, attack chains, and follow-on payloads show overlap with techniques and delivery methods that are frequently observed in RMM campaigns and used by multiple threat actors," wrote the Proofpoint researchers.

TrustConnect also offers “Quick Deploy Commands,” which are PowerShell scripts that can be used to install the malware, likely meant for use in ClickFix social engineering schemes. Customers can integrate TrustConnect with Telegram bots to receive notifications to Telegram when devices connect or disconnect.

A quick look at the TrustConnect takedown

Attackers started sending out emails to distribute the RAT starting around Jan. 27 of this year when a legitimate extended validation (EV) certificate was purchased under the name TrustConnect Software PTY LTD and used to sign the malware.

Proofpoint observed email lure themes including invitations to bid, event invitations and fake DocuSign documents. They found that in some cases, TrustConnect was distributed along with other legitimate RMMs such as ScreenConnect and LogMeIn Resolve.

On Feb. 6, TrustConnect’s EV certificate was revoked because of efforts by Proofpoint and researchers at The Cert Graveyard. Around the same time, TrustConnect stopped accepting new subscriptions through its website, but existing customers could continue using the MaaS, as previously signed malware files remained valid.

By Feb. 17, Proofpoint had worked with industry partners, who chose to stay anonymous, to take down the TrustConnect website, further disrupting the service’s infrastructure and operations. However, shortly afterward, the service reemerged testing a new payload called “DocConnect” or “SHIELD OS v1.0,” and using a React Single Page Application (SPA) with a Supabase backend for its new C2 panel.

Proofpoint noted that the Telegram handle “zacchyy09,” which prospective customers were instructed to contact after open sign-ups were closed, was listed as a VIP Redline infostealer customer by Dutch National Police and other law enforcement partners as part of the October 2024 Operation Magnus disruption effort.

"Disruptions to MaaS operations like Redline, Lumma Stealer, and Rhadamanthys, have created new opportunities for malware creators to fill gaps in the cybercrime market," wrote the researchers. "While these disruptions are effective and impose cost on adversaries, emerging malware shows threat actors will always be looking for new ways to compromise victims."