A recent report by Relia Quest sheds light on the increasing trend of threat actors utilizing legitimate IT tools for malicious purposes, known as Commercial Applications, Malicious Operations (CAMO). These attackers are exploiting legitimate tools that were once used for IT management and deployment to carry out malicious activities such as ransomware distribution, network scanning, lateral movement, and establishing command and control (C2) infrastructure.
The report emphasizes that CAMO poses a significant risk to organizations, as these attacks can easily bypass security defenses and mislead security personnel during investigations, leading to successful compromises. To combat this new threat landscape, organizations are advised to utilize GreyMatter Hunt packages to establish a baseline of existing IT tools, detect malicious activity, and implement appropriate mitigation measures to prevent such attacks.
CAMO differs from another attack technique known as Living Off the Land Binaries and Scripts (LOLBAS) in that it leverages legitimate software’s intended functions for malicious purposes. Unlike LOLBAS, which relies on native system utilities, CAMO utilizes open-source, freely available, or illegally modified tools that often possess valid code-signing certificates, enabling them to evade security policies.
Cybercriminals are frequently discussing the use of legitimate tools for malicious purposes on online forums, highlighting the common tools that adversaries use for covert operations, such as PDQ Deploy, Rclone, SoftPerfect, and AnyDesk. These tools provide attackers with advantages like evading detection and reducing the barrier to entry for less skilled threat actors.
The report further reveals that threat actors are increasingly leveraging CAMO techniques to avoid detection and hinder investigations. By exploiting legitimate tools such as PDQ Deploy and Total Software Deployment, these attackers are able to blend malicious actions into routine network operations, making it challenging for traditional defensive measures to detect and prevent their activities.
In some analyzed cases, threat actors used PDQ Deploy to spread ransomware and Total Software Deployment to facilitate lateral movement through the installation of ScreenConnect. These CAMO tools have proven to challenge traditional defensive measures, underscoring the importance of implementing network segmentation and application whitelisting to mitigate these emerging threats.
Furthermore, ransomware groups like “Inc Ransom” and “Black Basta” have utilized legitimate IT tools, such as SoftPerfect and AnyDesk, to compromise systems and exfiltrate data. SoftPerfect was used for network scanning and vulnerability identification, while AnyDesk provided remote access for malicious activities, allowing threat actors to evade detection and blend into legitimate operations.
To address these evolving threats, organizations are advised to block unauthorized cloud services, restrict Remote Monitoring and Management (RMM) tools, and closely monitor suspicious activity. By understanding the techniques used by attackers and proactively addressing these threats, organizations can better protect their valuable assets and reduce the likelihood of successful cyberattacks in the future.