Ransomware Gangs Weaponize AnyDesk, Splashtop, and Other Legitimate RATs to Bypass Security
Do Son 
Ransomware groups are increasingly turning to legitimate Remote Access Tools (RATs) such as AnyDesk, UltraViewer, RustDesk, Splashtop, and TightVNC to gain persistence, spread laterally, and evade defenses, according to a new analysis by Seqrite Threat Intelligence.
The report highlights that “a key enabler of these attacks is the exploitation of legitimate Remote Access Tools such as AnyDesk, UltraViewer, AppAnywhere, RustDesk, CloneDesk, Splashtop, and TightVNC.” These tools—originally designed for IT administration and remote support—are often whitelisted by organizations, making them highly attractive to adversaries who want stealthy and trusted access.
Seqrite researchers broke down how attackers misuse these tools across the ransomware kill chain:
- Initial Access: “Attackers gain legitimate access using stolen or brute-forced credentials, bypassing defenses while appearing as trusted users.” Indicators include suspicious RDP logins at odd hours or from unusual geolocations.
- Remote Tool Abuse: Once inside, adversaries either hijack an existing installation or silently deploy a RAT. The report explains: “They can either hijack an existing Remote Access Tool to avoid detection or perform a silent installation using signed installers with minimal footprint.”
- Persistence & Privilege Escalation: Registry run keys, hidden scheduled tasks, and configuration tweaks enable stealthy persistence. Tools like PowerRun are used to launch RATs with SYSTEM privileges.
- Antivirus Neutralization: Seqrite observed attackers stopping AV services and clearing logs: “Critical logs are cleared, and file shredding tools are used to remove forensic evidence, making post-incident investigation difficult.”
- Payload Deployment & Lateral Movement: With RATs in place, attackers can deliver ransomware disguised as trusted updates, then propagate via credential reuse or enterprise-wide RAT deployments.
- Final Impact: “Ransomware payload execution triggers data encryption, account lockouts, and Remote Access Tool credential changes to block administrative remediation.”
Seqrite’s analysis links RAT abuse to major ransomware families. For example:
- AnyDesk has been used in LockBit, Phobos, Dharma, MedusaLocker, and Mallox campaigns.
- UltraViewer was linked to Beast, CERBER, and GlobeImposter 2.0.
- RustDesk appeared in Mimic, LockXXX, and Dyamond attacks.
- Splashtop was leveraged in Makop, BlueSky, and RansomHub operations.
By piggybacking on trusted, signed software, attackers camouflage malicious activity as ordinary administrative actions.
The report emphasizes that these tools are not inherently malicious but can become powerful weapons if left unmonitored. Seqrite warns: “Organizations often whitelist Remote Access Tools and trust their digital signatures, which attackers exploit to bypass security controls and persist stealthily.”
Related Posts:
- AnyDesk’s Cybersecurity Breach: Unveiling the Recent Attack
- AnyDesk Breach 2024: Dark Web Sale of 18,317 Credentials
- Beware of Fake Downloads: AsyncRAT Spreads via Popular Software Cracks
- Cybercriminals Exploit AnyDesk to Impersonate CERT-UA in Sophisticated Phishing Campaign
- Kimsuky APT Group Abuses HWP and AnyDesk for Covert Remote Surveillance
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
