Incident responders, s'il vous plait: Invites lead to odd malware events

Key Takeaways

• Threat actors are using phishing emails disguised as event invitations to trick users into installing pre-configured legitimate RMM tools like LogMeIn Resolve and ScreenConnect.
• The campaign, tracked as STAC6405, leverages compromised third-party email accounts to send lures and bypass trust mechanisms.
• Post-compromise activity includes deploying HeartCrypt-packed infostealers (similar to ValleyRAT) and additional RMM tools like SimpleHelp.
• Attackers use utilities like HideMouse.exe to conceal malicious remote activity from the victim by making the cursor invisible.

Affected Systems

• Windows

Attack Chain

The attack begins with phishing emails disguised as event invitations containing links to attacker-controlled distribution sites. Victims download and execute a pre-configured legitimate RMM installer (LogMeIn Resolve or ScreenConnect), granting the attacker unattended remote access. In subsequent stages, the attacker uses the RMM to drop secondary payloads, such as a HeartCrypt-packed infostealer injected into csc.exe, or additional Java-based RATs and RMM tools like SimpleHelp. Utilities like HideMouse.exe are used to conceal the malicious remote activity from the victim.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: Yes
• Platforms: Sophos XDR

The article provides SQL-based queries for Sophos XDR to identify process activity spawning from malicious binaries, recent RMM installations, and active connections via LogMeIn or ScreenConnect.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions can easily detect the installation of RMM tools, process injection into csc.exe, and WMI queries targeting AV products. Network Visibility: Medium — Network traffic is likely encrypted (TripleDES, HTTPS), but connections to known malicious IPs or unexpected RMM relay domains can be detected. Detection Difficulty: Moderate — The use of legitimate RMM tools (LogMeIn, ScreenConnect) blends in with normal administrative activity, making initial access hard to distinguish from benign behavior without strict application control.

Required Log Sources

• Process Creation (Event ID 4688)
• Network Connections
• Service Creation (Event ID 7045)
• WMI Activity

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Attackers are using legitimate RMM tools to establish persistence and C2.	Process execution and network connections.	Command and Control	High
Malware is injecting into the legitimate csc.exe process to evade detection.	Process creation and API monitoring (process injection).	Defense Evasion	Low
Attackers are enumerating installed AV products using WMI queries.	WMI activity logs.	Discovery	Medium

Control Gaps

• Lack of Application Control for RMM tools
• Permissive outbound network filtering

Key Behavioral Indicators

• Unexpected installation of LogMeIn Resolve or ScreenConnect
• csc.exe making external network connections
• Execution of HideMouse.exe or similar cursor-hiding utilities
• WMI queries targeting AntiVirusProduct

False Positive Assessment

• Medium (Legitimate use of LogMeIn Resolve, ScreenConnect, and SimpleHelp in enterprise environments may trigger false positives if alerting is solely based on their presence).

Recommendations

Immediate Mitigation

• Block the provided IOCs (IPs, domains, URLs) at the firewall and web proxy.
• Isolate any endpoints showing unexpected LogMeIn Resolve or ScreenConnect installations.

Infrastructure Hardening

• Implement an Application Control policy to block unauthorized RMM tools.
• Uninstall LogMeIn and other RMM tools if not required for business purposes.

User Protection

• Enforce the use of secure password managers or migrate to passkeys to harden credential management.

Security Awareness

• Train users to identify phishing emails, especially those disguised as event invitations or tender bids.
• Educate employees on the risks of downloading software from unverified links.

MITRE ATT&CK Mapping

• T1566.002 - Spearphishing Link
• T1204.002 - Malicious File
• T1678 - Delay Execution
• T1555.003 - Credentials from Web Browsers
• T1518.001 - Security Software Discovery
• T1082 - System Information Discovery
• T1119 - Automated Collection
• T1219 - Remote Access Software
• T1573 - Encrypted Channel

Additional IOCs

• Domains:
  • [.]ru[.]com - Base domain used for separate distribution subdomains.
• Command Lines:
  • Purpose: Enumerate installed antivirus products on the compromised host. | Tools: WMI | Stage: Discovery | SELECT * FROM AntiVirusProduct
• Other:
  • Invitation.exe - Malicious RMM installer filename.
  • ContractAgreementToSign.exe - Malicious RMM installer filename.
  • Diverse-Build-Solution.exe - Malicious RMM installer filename.
  • invt-list2025.exe - Malicious RMM installer filename.
  • SPCL_INVITE_RSVP_2025.exe - Malicious RMM installer filename.
  • statmts_PDF-10.25.exe - Malicious RMM installer filename.
  • 8776_6713_exe.zip - ZIP file downloaded via ScreenConnect containing secondary payloads.
  • HideMouse.exe - Utility used to create a transparent cursor and hide malicious RMM activity.
  • 8776_6713.exe - HeartCrypt-packed infostealer payload.
  • invite.exe - Downloaded binary that launches ScreenConnect and a Java-based RAT.
  • RemoteAccess.jar - Java-based remote access payload.
  • jwrapper_utils.jar - Java-based remote access payload component.
  • simplegateway.service - Malicious service registered by SimpleService.exe.
  • Remote Access.exe - Binary related to the SimpleHelp RMM tool.
  • EXLP2025 - Access code required to download the RSVP file from the Norton-themed lure (extracted from image).