Skip to content
.ca
sign in
4 minhigh

Weaponizing Apathy: How Threat Actors Exploit Vulnerabilities and Legitimate Software

Threat actors are increasingly weaponizing legitimate software and known vulnerabilities to bypass endpoint detection and response (EDR) systems. Between December 2021 and December 2024, the abuse of legitimate Remote Access Tools (RATs) like NetSupport Manager and ConnectWise has surged, often delivered via phishing emails exploiting older Microsoft Office vulnerabilities to establish persistent, stealthy access.

Conf:highAnalyzed:2026-04-22reports

Authors: Madalynn Carr

ActorsLoki Bot
Legitimate Software AbusePhishingNetSupport ManagerConnectWiseRAT

Source:Cofense

Key Takeaways

  • Threat actors are increasingly leveraging legitimate software, particularly Remote Access Tools (RATs), to bypass EDR detection.
  • NetSupport Manager and ConnectWise are the most popular legitimate RATs abused, accounting for over 74% of observed instances.
  • Microsoft Office products are frequently targeted via older CVEs (e.g., CVE-2017-11882) to deliver these payloads.
  • Office macros have declined as a delivery mechanism since Microsoft disabled them by default.
  • The low cost and availability of free trials for legitimate RATs make them highly accessible and attractive to threat actors.

Affected Systems

  • Microsoft Office
  • Windows
  • Mac
  • Linux

Vulnerabilities (CVEs)

  • CVE-2017-0144
  • CVE-2021-44228
  • CVE-2017-11882
  • CVE-2017-0199
  • CVE-2018-0798
  • CVE-2018-0806

Attack Chain

Threat actors initiate attacks by sending phishing emails containing malicious attachments, such as Microsoft Office documents. These documents exploit known vulnerabilities (e.g., CVE-2017-11882, CVE-2017-0199) or utilize macros to achieve remote code execution. Once execution is achieved, the attackers deploy legitimate Remote Access Tools (RATs) like NetSupport Manager, ConnectWise, FleetDeck, or Atera to establish persistence, bypass EDR, and facilitate further malicious activities such as lateral movement or data theft.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

The article does not provide specific detection rules, queries, or signatures.

Detection Engineering Assessment

EDR Visibility: Medium — While EDR can observe process execution, the use of legitimate RATs (NetSupport, ConnectWise, Atera) often blends in with normal administrative activity, potentially bypassing standard behavioral alerts. Network Visibility: Medium — Network traffic from legitimate RATs will likely appear as standard encrypted communication to known vendor infrastructure, making it difficult to distinguish from legitimate administrative use without deep packet inspection or behavioral baselining. Detection Difficulty: Hard — Distinguishing between legitimate administrative use of tools like ConnectWise or NetSupport and malicious abuse requires strong behavioral baselining, application control, and contextual awareness.

Required Log Sources

  • Process Creation (Event ID 4688)
  • Sysmon Event ID 1 (Process Creation)
  • Sysmon Event ID 3 (Network Connection)
  • Email Gateway Logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for unexpected installations or executions of known RATs (NetSupport, ConnectWise, FleetDeck, Atera) originating from Office applications (Word, Excel) or their child processes.Process Creation (Event ID 4688, Sysmon EID 1)ExecutionLow
Identify network connections to RAT infrastructure from endpoints that do not typically require remote administrative management.Network Connections (Sysmon EID 3, Firewall Logs)Command and ControlMedium

Control Gaps

  • EDR relying solely on signature-based detection for known bad malware
  • Lack of application whitelisting/control for remote access tools

Key Behavioral Indicators

  • Office applications spawning unusual child processes
  • Execution of RAT binaries from temporary or user profile directories
  • Unexpected presence of RAT software on non-IT endpoints

False Positive Assessment

  • High

Recommendations

Immediate Mitigation

  • Ensure all Microsoft Office and Windows environments are patched against known CVEs (e.g., CVE-2017-11882, CVE-2017-0199).
  • Verify that Microsoft Office macros are disabled by default across the organization.

Infrastructure Hardening

  • Implement application control/whitelisting to block unauthorized Remote Access Tools (RATs) like NetSupport Manager, ConnectWise, FleetDeck, and Atera.
  • Restrict network access to known legitimate RAT infrastructure to only authorized IT administrator IP addresses.

User Protection

  • Deploy robust Secure Email Gateways (SEGs) to filter out malicious attachments exploiting older CVEs.
  • Monitor endpoint behavior for unusual child processes spawning from Microsoft Office applications.

Security Awareness

  • Train employees to recognize phishing emails containing suspicious attachments or unexpected requests for remote access.
  • Educate IT staff on the risks of legitimate tool abuse and the importance of monitoring RAT usage.

MITRE ATT&CK Mapping

  • T1566.001 - Phishing: Spearphishing Attachment
  • T1203 - Exploitation for Client Execution
  • T1059.005 - Command and Scripting Interpreter: Visual Basic
  • T1219 - Remote Access Software

Related