Understanding and threat hunting for RMM software misuse

Threat actors often use remote monitoring and management (RMM) software to install malware, disable security controls, escalate privileges and preserve continuing access to compromised networks. Although cybercriminals have leveraged RMM tools for years, they persisted in doing so well into 2024 — underscoring the growing threat posed by these tactics. These powerful tools are often already deeply integrated into organizations’ information technology (IT) workflows, making this software a prime candidate for attackers to subvert. Attackers can use RMM software to map a network and identify valuable assets. This enables their movement through networks, typically with credentials harvested from compromised systems, and eventually allows them to exfiltrate sensitive data and deploy ransomware. To ensure long-term access or facilitate additional malicious activities, threat actors often install secondary remote access or RMM tools post compromise. These tools are used to establish reverse connections to adversary-controlled servers and can serve as backups for remote desktop sessions. This can lead to widespread operational disruptions, significant financial losses and potential supply chain vulnerabilities.

RMM software is particularly attractive to threat actors due to the comprehensive remote administration capabilities and the perceived veneer of legitimacy. Even if an organization does not use a particular brand of RMM software, it may slip past security software if installed. This negates the need for threat actors to install their own custom tooling, which may be easier to detect.

This report analyzes and provides detection artifacts and threat hunting queries for three types of commonly abused RMM tools — AnyDesk, Atera Agent and MeshAgent. The threat hunt queries, which are at the end of this post, are free upon registration for the Community Portal of HUNTER, Intel 471’s threat hunting platform. Also at the end of this post are more threat hunt queries available to HUNTER subscribers for other RMM platforms. The full report and hunt queries, which are available to Intel 471 clients, covers NetSupport Manager, QuickAssist, ScreenConnect, Splashtop and TeamViewer. For the report, please contact Intel 471.

AnyDesk

AnyDesk is a remote desktop application that enables quick, secure connections across a range of devices. The software is widely used by businesses for legitimate purposes such as support, file transfer and real-time collaboration. However, threat actors frequently exploit it to gain unauthorized access to personal or financial data by tricking victims into installing the software. 

In December 2024, two separate campaigns documented by security vendors illustrated how threat actors continue to leverage AnyDesk for illicit activities. In the first campaign, an attacker posed as a known client during a Microsoft Teams call, convincing the victim to install AnyDesk, which facilitated the deployment of DarkGate malware. In the second campaign, threat actors capitalized on the previously patched CVE-2023-48788 vulnerability in a FortiClient endpoint management system (EMS) for initial access. After using a ScreenConnect executable file to gain remote access, they installed AnyDesk as a means of securing persistence on the compromised system. Furthermore, the Computer Emergency Response Team of Ukraine (CERT-UA) issued an alert Jan. 17, 2025, about ongoing fraudulent attempts by unidentified threat actors to impersonate the agency through AnyDesk connection requests.

The underground market is rife with offers from initial access brokers (IABs) of unauthorized network access via AnyDesk and other RMM tools. For instance, in December 2024, an actor known as Pirat-Networks offered AnyDesk account credentials with local domain administrator privileges to a U.S. vehicle tire vendor. Additionally, AnyDesk featured in ransomware activity by the Mad Liberator, Medusa, Rhysida and Cactus ransomware gangs.

Artifacts observed 

Running the installer creates several configuration files in the “%AppData%” directory and a dynamic-link library (DLL) file in the “%temp%” folder. 

C:\Users\%userprofile%\AppData\Roaming\AnyDesk\user.conf

C:\Users\%userprofile%\AppData\Roaming\AnyDesk\system.conf

C:\Users\%userprofile%\AppData\Roaming\AnyDesk\service.conf

C:\Users\%userprofile%\AppData\Local\Temp\gcapi.dll

Installing AnyDesk also results in the creation of a folder in the “%ProgramData%” directory to host the configuration files initially in the “%AppData%” directory. This folder is:

C:\ProgramData\AnyDesk\

DNS requests

One of the best opportunities for detection is monitoring domain name system (DNS) requests for the anydesk.com domain. In our tests, DNS resolutions to the following domains were observed: 

boot.net.anydesk.com

relay-8bd65c3e.net.anydesk.com

To increase the opportunities of early detection, we recommend to monitor or block DNS requests that aim to resolve to the *.anydesk.com domain if possible.

Atera Agent

Atera Agent is RMM software that equips IT teams with capabilities for remote access, patch management and system performance monitoring. While not as widely known as AnyDesk, Atera Agent also has been exploited by cybercriminals. In March 2024, the Iranian nation-state cyber espionage group MuddyWater aka TA450, Mango Sandstorm used Atera Agent in its operations. The campaign started with phishing emails with portable document format (PDF) attachments that contained malicious links. Clicking on these links triggered the download of a compressed ZIP archive, which included a compressed Microsoft software installer (MSI) file that installed Atera Agent upon execution. Similar exploitation of this RMM tool has been observed in multiple campaigns throughout 2024, with the majority reported by researchers via the X aka Twitter platform.

Another instance of Atera Agent being exploited by cybercriminals involves the ta55 persona. On June 12, 2024, ta55 offered to sell unauthorized access to an undisclosed hospital in Brazil that reportedly has an annual revenue of US $55 million and utilizes Microsoft Defender antivirus software. The access allegedly was gained via Atera Agent RMM software and included local administrator privileges.

Detection

Atera Agent 1.8.7.2 was the most popular version at the time of this report. Threat actors frequently package the Atera Agent installer within MSI files that decompress and execute the necessary components to deploy RMM software.

Artifacts observed during the run

The primary executable file is named “AteraAgent.exe” and its default installation directory is “%ProgramFiles%/ATERA Networks.” Note that depending on the system architecture, this installation directory may either be in the “C:\Program Files (x86)\” or “C:\Program Files\” folders. Alongside the main agent, several libraries and configuration files also are extracted to the installation folder, including:

C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.config

C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog

C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallState

C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll

C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll

C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt

C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll

C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll

C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dll

Command-line arguments observed during the run

Atera Agent instances utilize a distinctive command line that offers key identifiers for detecting the use of this RMM. This command line includes the following parameters:

/i /IntegratorLogin="<email>" /CompanyId="<digit>" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="<alphanumeric string>" /AgentId="<uuid>"

DNS requests

During Atera Agent runs, we observed connections to specific servers within the Atera infrastructure. The DNS requests made before these connections can serve as another detection opportunity for Atera Agent activity. Here are some examples of DNS resolution attempts we observed:

agent-api.atera.com

ps.atera.com

However, to increase the opportunities of early detection, we recommend to monitor or block DNS requests that aim to resolve to the *.atera.com domain if possible.

MeshAgent 

MeshAgent is the client component of MeshCentral, an open source remote device management platform. It relies on a “mesh” (MSH) configuration file containing essential parameters — MeshName, MeshID, ServerID and the command-and-control (C2) address — to connect to the MeshCentral server via the WebSocket protocol.

When the C2 address is accessed using hypertext transfer protocol secure (HTTPS), users encounter the MeshCentral login page.

As a powerful RMM tool, MeshAgent allows operators to control nearly every aspect of a device through the MeshCentral server. This includes viewing all devices within the mesh network, remotely managing desktops, transferring files and gathering detailed software and hardware information.

In May 2024, Cisco Talos researchers reported a campaign that had been active since at least 2021 allegedly orchestrated by the LilacSquid aka UAT-4820 group. The group leverages MeshAgent for maintaining post-compromise persistence following successful exploitation. Upon execution, MeshAgent connects to its C2 server, conducts initial reconnaissance and downloads or activates additional implants. Attackers obtained MeshAgent using the “bitsadmin” utility and then launched it to establish contact with the C2. In October 2024, another MeshAgent-based campaign was documented — this time attributed to Awaken Likho aka Core Werewolf, a group primarily targeting Russian government entities and enterprises. The campaign is believed to have started in June 2024 and continued through August 2024. While the attackers previously relied on the open source virtual network computing (VNC) utility UltraVNC for remote access, MeshAgent replaced UltraVNC in this latest operation. 

Separately, in April 2024, we released a report detailing the activities of the actor Tur0k aka AdmiralMoks, BabooLock, who offered MeshCentral-based remote access trojan (RAT) malware with information stealing, loader and persistence capabilities via a malware-as-a-service (MaaS) business model.

Detection

Although MeshAgent installers can be obtained from the official website at the provided link below, the URL rarely is observed in the wild. The availability of source code and official releases in the MeshAgent GitHub software development platform repository allows actors to make subtle modifications and customizations that thwart detection and threat hunting efforts. The current version of the project was 1.1.43 at the time of this report. Despite the higher degree of possible customization compared to other RMM software discussed in this report, there are still opportunities for detection.

Command-line arguments observed during the run

There are two command-line arguments that repeatedly appeared in our observations, although not always simultaneously. The “meshServiceName” argument allows users to choose a custom service name, which threat actors often use to disguise the agent as a benign application. The “installedByUser” argument displays the security identifier of the user who installed the tool.

--meshServiceName="<service name>"

--installedByUser="<security identifier>"

The following examples illustrate uses of the above command-line arguments, as observed in real-world scenarios used by threat actors:

--meshServiceName="PDFViewer"

--installedByUser="S-1-5-21-1693682860-607145093-2874071422-1001"

Artifacts observed during the run

The default installation folder “Mesh Agent” usually is in the “C:\Program Files (x86)\” or “C:\Program Files\” folders. However, it is important to note that in practice, this location rarely is used as provided. Threat actors frequently rename binary code and folders to obscure their presence and hinder detection efforts.

C:\Program Files\Mesh Agent\MeshAgent.exe

There are other artifacts actors often forget when customizing, which can indicate a MeshAgent infection. These include the values of registry keys, as shown in the following list: 

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mesh Agent

HKEY_LOCAL_MACHINE\SOFTWARE\Open Source\Mesh Agent

Conclusion

As organizations increasingly rely on RMM tools for efficient oversight of their IT environments, threat actors are capitalizing on the significant opportunities these platforms provide for unauthorized access. Not only is RMM software trusted, but it is also deeply integrated into network operations, allowing malicious activities that utilize these tools often to blend seamlessly with legitimate network traffic and thereby complicating detection efforts. With threat actors continually evolving their tactics, the likelihood of illicit RMM usage will be steady or increase. 

To mitigate the escalating risks associated with RMM tools, a comprehensive defense strategy is critical. Detection efforts should include deploying endpoint detection and response (EDR) platforms, conducting network traffic analysis and utilizing behavior-based intrusion detection systems (IDSs) that are tuned specifically to recognize RMM-related activities. It also is vital to enforce stringent application allow listing and implement tight access controls that permit only vetted, preapproved RMM software across the organization, thereby minimizing the attack surface.

Additionally, security teams are advised to undertake threat hunting exercises routinely to detect early signs of misuse, such as anomalous network connections or other suspicious activities that may suggest unauthorized access. Below are several free threat hunt packages for the RMM software described in this blog post. This content is available in the Community Portal of the HUNTER threat hunting platform. Following the free content are more hunts available to HUNTER subscribers.

The Community Portal provides access to dozens of advanced behavioral threat hunting packages compatible with the most popular security incident and event management (SIEM), EDR and logging software. Hunt packages are developed based on adversary tactics, techniques and procedures (TTPs) in the MITRE ATT&CK catalog as opposed to indicators of compromise (IoCs), which are short lived. This type of behavioral threat hunting is much more effective, as changing TTPs for adversaries is more difficult. Registration for the Community Portal is free.