Malware as a service (MaaS) is another of the major problems in global cybersecurity since it allows cybercriminals to carry out malicious campaigns without having the skills to develop their own malware.
The phenomenon is defined by the purchasing or renting malware for cyber attacks and it is highly profitable for its creators and subscribers of these affiliate schemes that give low-level attackers the ability to distribute and manage campaigns that until now we had known mainly as ransomware as a service o phishing as a service.
Malware as a service, other avenues of action
Proofpoint has warned of a malicious campaign that varies the attack method, since impersonates legitimate remote management software. This demonstrates again, in the opinion of the security firm, how cybercriminals are increasingly using the aesthetics of legitimate business tools, as well as other elements of trust, and the assistance of AI to accelerate innovation in their crimes.
This time it is a new malware-as-a-service (MaaS) platform, TrustConnect, which presents itself as enterprise IT software for remote monitoring and management (RMM), but It is actually a remote access trojan (RAT).
TrustConnect works as a backdoor with remote desktop, file transfer, and command execution capabilities. Created last January, the domain of this malware (trustconnectsoftware(.)com) presented itself as a commercial website designed to convince users that it was a legitimate RMM application by providing false customer statistics and software documentation, although it actually functioned as a MaaS login. Proofpoint suspects that cybercriminals they used a large language model (LLM) to create the site.
They even obtained a legitimate extended validation code signing certificate to digitally sign the malware, which helped them bypass security controls before researchers coordinated its revocation. Obtaining these EV certificates is quite expensive and requires additional levels of validation by the domain owner. Attackers can pay malicious vendors for them or create them themselves.
Although TrustConnect only posed as a legitimate RMM, subsequent honeypots, attack chains, and payloads indicate an overlap with techniques and delivery methods seen in RMM campaigns by multiple threat actors. These used a variety of topics as prompts, including taxes, document sharing, invitations to meetings, events, and government affairs. MaaS provided templates for many different types of brand abuse.
Proofpoint, in collaboration with other intelligence partners, managed to disrupt part of the malware infrastructure, causing an impact on cybercriminal activities. The attackers, however, demonstrated resilience by identifying another rebranded version of the rogue RMM, DocConnect, which they quickly began testing.
The TrustConnect and DocConnect websites were likely developed with the assistance of AI agents. “This underlines how cybercriminals are actively adopting this technology to their advantage, mirroring the trend of its use in society at large.”explain the researchers.
