Distribution of Malware Abusing LogMeIn and PDQ Connect
AhnLab SEcurity intelligence Center (ASEC) recently identified cases of attacks abusing the RMM (Remote Monitoring and Management) tools LogMeIn Resolve (GoTo Resolve) and PDQ Connect. While the initial distribution method is unknown, the attacks involve a legitimate-looking website that disguises the malware as a normal program. When a user downloads and installs the program, an additional malware strain with data exfiltration capabilities is also installed.
1. Distribution Method
The initial distribution method of LogMeIn is unknown, but it is presumed to have been distributed disguised as a legitimate program. The following are the various names under which LogMeIn, which was used in the attack, was installed.
| Telegram.exe Microsoft.exe chatgpt.exe OpenAI.exe notepad++.exe 7-zip.exe winrar.exe Videolan.exe divine.exe module_required.exe windows12_installer.exe |
The user seems to have accessed the website through an unknown path and installed LogMeIn Resolve from the following download page. These websites disguise themselves as the download page of free utilities such as Notepad++ and 7-Zip, but actually download the threat actor’s LogMeIn Resolve.
Figure 1. Download page of Digestive Utility
2. LogMeIn
LogMeIn is an RMM tool that supports remote support, patch management, and monitoring. It is a tool that can remotely control systems that are installed for legitimate purposes and are not malware such as backdoors or RATs, so it is being exploited by various threat actors. This is an intentional attempt to bypass security products’ detection. Unlike typical malware, security products such as firewalls and antivirus software have limitations in simply detecting and blocking these tools.
For LogMeIn Resolve, the internal configuration file contains the information of the administrator or threat actor. Typically, the “CompanyId” field is the ID of the administrator or threat actor who created the LogMeIn Resolve installation file, allowing the threat actor to be identified. [1]
Figure 2. Configuration data of LogMeIn Resolve
In the attack campaigns exploiting LogMeIn Resolve identified in Korea, three different “CompanyId” values were used.
- Threat Actor’s CompanyId – 1: 8347338797131285527
- Threat Actor’s CompanyId – 2: 1995653637248077072
- Threat Actor’s CompanyId – 3: 4586548334491124754
If a user installs LogMeIn disguised as a legitimate utility, it can be registered in LogMeIn’s infrastructure and seized by the threat actor. The threat actor exploited LogMeIn to execute PowerShell commands and install PatoRAT, a backdoor malware.
Figure 3. Malware installation log using LogMeIn Resolve
3. PDQ Connect
Additionally, PatoRAT has been installed by PDQ Connect as well as LogMeIn Resolve. PDQ Connect is an RMM tool that provides features such as software package distribution, patch management, inventory, and remote control, similar to LogMeIn Resolve. Threat actors abused PDQ Connect like LogMeIn Resolve to execute PowerShell commands and install PatoRAT.
Figure 4. Malware installation log using PDQ Connect
4. PatoRAT
The ultimate malware installed by the threat actor using LogMeIn Resolve and PDQ Connect is PatoRAT. Developed in Delphi, PatoRAT is a backdoor that supports features such as remote control and information theft. Internal strings such as debug logs are written in Portuguese. The malware is classified as PatoRAT based on its ClientID.
Figure 5. Portuguese included in the binary
The configuration data is 1-byte XOR encrypted with the key value of 0xAA and stored in the RCDATA area of the resource under the item name “APPCONFIG”. When decrypted, it contains the clientTag, mutex name, C&C server address list, and flag value.
Figure 6. Configuration data stored in the resource section
When PatoRAT is executed, it sends the following basic information about the system to the C&C server.
| Item | Information |
|---|---|
| Packet identify id | Infected System ID (combination of information such as CPU, environment variables, computer name, and volume serial number) |
| country | Locale information |
| ComputerName | Computer name |
| user | User name |
| os | Operating system information |
| version | 1.6.1 |
| performance Memoria | Memory usage |
| activeWindow | Active window |
| Screens MonitorsResolutions | Resolution |
| privileges | Permission to execute malware |
| clientTag | “patolino” or “secondfloor” |
| SDK | SDK installation status |
Table 1. Information of the PatoRAT
Afterward, the following commands can be supported according to the commands of the C&C server.
| Category | Command |
|---|---|
| Remote Control | Mouse control, download and execute, execute PowerShell commands, manipulate clipboard, update, shutdown, restart |
| Screen Control | HVNC, remote desktop |
| Information Gathering | Keylogging, screen capturing, steal web browser credentials |
| Others | Install localtonet (port forwarding is suspected), scan QR code, plugin support |
Table 2. Supported commands
6. Conclusion
Recently, there have been cases of attacks installing backdoor malware using LogMeIn Resolve and PDQ Connect. LogMeIn Resolve is installed through a page disguised as a legitimate utility, and the threat actors used the RMM tool to install the PatoRAT backdoor malware. Users must check the official website when downloading utilities and verify the version information and certificate of the downloaded file to ensure that they are installing the intended file. They should also keep their operating systems and security products up to date to protect themselves from known threats.
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
