An active phishing campaign has emerged in Brazil, targeting organizations by exploiting a legitimate Remote Monitoring and Management (RMM) tool called NinjaOne. This malicious operation is particularly alarming as it provides adversaries with persistent remote access to their victims’ systems, leveraging an established software commonly used in business IT environments.
Unlike traditional phishing schemes that rely on unique malware, the attackers in this case have adopted a more sophisticated tactic. They manipulate familiar business processes and employ social engineering techniques in the Portuguese language to deceive employees in finance, procurement, accounting, and administrative roles. This deception encourages these staff members to install a digitally signed version of the NinjaOne agent, which instead connects to infrastructure controlled by the attackers.
The seriousness of this campaign is underscored by its ability to seamlessly blend into legitimate business workflows, making detection considerably more challenging for organizations. This abuse of a well-known RMM tool reflects a broader and concerning trend where adversaries increasingly exploit trusted enterprise applications to evade detection while gaining operational freedom.
The campaign typically starts with carefully designed phishing emails that direct potential victims through Googleusercontent redirection chains. These emails lead to Portuguese-language landing pages, which mimic official Brazilian processes related to SEFAZ fiscal documents and complaint-management sites that resemble services like Reclame Aqui. The attackers use localized terminology, such as “Documento Fiscal,” “Download Seguro,” and “Verificação de Segurança,” to bolster the credibility of their portals, instilling confidence in unwitting users.
Researchers from Cato CTRL have identified this undocumented phishing campaign aimed specifically at Brazilian organizations, utilizing fake business documents as lures. Victims are often subjected to a mock verification flow, during which they are prompted to click a download button. Instead of receiving a legitimate document, they inadvertently download a genuine NinjaOne installer that is maliciously configured to connect to malicious management endpoints controlled by the attackers.
To further strengthen the deception, the filenames of the downloaded installers often embed fiscal document identifiers and contextual site references, which makes them appear legitimate. For instance, a filename might look like: “NinjaOne-Agent-DocumentoFiscal21782856920262001238-Sede-Auto-x86-64.” Such tactics help attackers maintain the ruse.
Technical elements within the phishing infrastructure indicate a high level of operational maturity among the attackers. They implement geofencing measures that restrict payload deliveries to specific Brazilian IP ranges, and they utilize techniques like browser fingerprinting to identify automation frameworks or virtual environments (e.g., Selenium, Puppeteer). Furthermore, they employ behavioral checks that analyze mouse movements, scrolling, and touch events to ensure that an actual human is present during the interaction.
Honeypot fields and comments embedded in the JavaScript suggest a deliberate intent to obstruct analysis; for example, one comment in Portuguese translates to “The bot filled the honeypot.” This level of sophistication points to significant experience and planning on the part of the attackers.
Additionally, employing Cloudflare as a fronting service enhances the obscurity of their back-end operations while simplifying the download mechanism, further indicating that they prioritize social engineering techniques over complicated payload delivery strategies. These various protective measures are aimed at reducing the risk of exposure to cybersecurity researchers, thus allowing the infrastructure to remain operational for longer periods.
The implications of misusing NinjaOne are severe. As an enterprise-grade RMM solution, NinjaOne is designed to facilitate endpoint monitoring, remote shell access, file transfers, software deployment, patching, and automation. All of these features, when controlled by an attacker, can serve as tools for reconnaissance, persistent remote access, and lateral movement within victim networks, potentially leading to widespread data breaches.
In alignment with recent advisories from the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC), the ongoing misuse of RMM tools for malicious activities is a pressing concern for organizations worldwide.
While Cato CTRL’s analysis primarily focused on a victim in the chemicals and advanced materials sector, the lure template identified is broadly applicable to various sectors that handle fiscal documents and transactional communications. Investigators have also uncovered potential overlaps with previous infrastructure linked to the Venon RAT activity in Brazil. However, any attribution remains tentative, necessitating further evidence.
As of early June 2023, various elements of the phishing infrastructure remain accessible despite responsible disclosures. Organizations are advised to approach unexpected document-download prompts with suspicion, verify distribution channels directly, and implement robust endpoint controls, including allowlisting for RMM installations. Furthermore, consulting vendor guidelines and joint advisories from CISA, NSA, and MS-ISAC can provide valuable defensive insights against such malicious uses of RMM platforms.
In sum, this disturbing phishing campaign exemplifies an ongoing trend where legitimate tools are manipulated for illegal purposes, endangering the cybersecurity landscape for businesses, particularly in Brazil. As organizations become increasingly aware of these threats, vigilance and proactive measures remain crucial to mitigate the risks of facing similar attacks in the future.