The Fake IT Threat: “TrustConnect” Malware-as-a-Service Masquerades as Legitimate RMM Software

A new report from Proofpoint sheds light TrustConnect, detailing the rise of a new Malware-as-a-Service (MaaS) that hides in plain sight by masquerading as IT software.

Remote Monitoring and Management tools are the backbone of modern IT support, allowing administrators to access and fix employee computers from afar. Unfortunately, this exact functionality makes them highly attractive to cybercriminals.

According to Proofpoint’s latest analysis, the operators behind TrustConnect have taken this abuse to the next level. Rather than simply hijacking existing tools, they built a RAT (Remote Access Trojan) and dressed it up to look like a brand new enterprise RMM solution.

“Proofpoint observed a new malware-as-a-service (MaaS) masquerading as a legitimate remote monitoring and management (RMM) tool. It calls itself TrustConnect,” the report reveals.

The threat actors even created a fake corporate website to sell their wares. However, beneath the polished exterior lies a pure cybercrime portal. “The ‘business page’ – clearly created by automated tooling of some kind- is actually the login for the Maas,” researchers noted. “As of this writing, access was advertised at $300 per month”.

The actors behind TrustConnect are not amateurs. Proofpoint’s intelligence suggests they have deep roots in the credential-stealing underworld.

Following the high-profile disruptions of massive MaaS operations like Redline, Lumma Stealer, and Rhadamanthys, new players have stepped up. Proofpoint found compelling links between the TrustConnect developer and one of these fallen giants.

“Based on details of the malware creator, capabilities of the malware, and knowledge of the ecosystem, we assess with moderate confidence the threat actor behind TrustConnect was also a prominent user of Redline stealer,” the report states.

In collaboration with intelligence partners, Proofpoint successfully disrupted elements of TrustConnect’s infrastructure, aiming to hobble the operation. However, the developers showcased alarming agility.

“Proofpoint, in collaboration with intelligence partners, disrupted some of the malware’s infrastructure, causing an impact to cybercrime activities,” the researchers detailed. “But the actor demonstrated resilience, with another fake RMM website identified shortly before publication that advertised malware called DocConnect”.

This rapid redevelopment was likely accelerated by artificial intelligence. Proofpoint analysts observed that “Based on website artifacts and functionality, both TrustConnect and DocConnect websites and agents are likely coded with the assistance of AI Agents, but the new version is significantly more advanced”. This highlights a growing trend where threat actors utilize AI to regain momentum rapidly following security takedowns.

The emergence of TrustConnect and its swift successor, DocConnect, proves that the market for stealthy access tools is booming.

“The RMM abuse ecosystem is thriving,” Proofpoint concludes. “Although TrustConnect only masqueraded as a legitimate RMM, the lures, attack chains, and follow-on payloads (which include RMMs) show overlap with techniques and delivery methods that are frequently observed in RMM campaigns and used by multiple threat actors”.

As threat actors continue to blend malicious intent with legitimate-looking software, organizations must remain hyper-vigilant against unexpected “IT support” requests and unverified enterprise software installations.

Related Posts:

• RMM Tools: The New Weapon of Choice for Cybercriminals
• LockBit Ransomware Evolves: New Stealthy Tactics Use DLL Sideloading & Masquerading to Bypass Defenses
• Rhadamanthys Stealer: MaaS Malware Hits Oil & Gas
• npm’s Hidden Threat: The Covert Trojan Lurking in Your Windows System