Legitimate remote-access tool abuse

Malware operators repurpose, re-bundle, or re-configure legitimate commercial remote-access tools (TeamViewer, AnyDesk, NetSupport Manager, ConnectWise ScreenConnect, etc.) to gain covert persistent access, leveraging the tools' own trust signals (valid signatures, known processes, allowed firewall rules) to evade detection.

Pattern definition

Unlike custom-coded RATs (AsyncRAT, Quasar, Remcos), this pattern involves real, vendor-signed binaries that are either:

1. Repacked / bundled inside a masqueraded installer (e.g., Inno Setup bundling NetSupport with attacker-controlled gateway config)
2. Reconfigured with attacker-controlled C2 parameters (gateway IP, relay host, session key)
3. Staged via a custom bootstrapper that pre-trusts the publisher certificate so the tool installs silently

The attacker does not need to write a RAT — they only need to control the configuration and initial delivery vector.

Variants observed

Detection principles

• Process ancestry: Legitimate remote-access binaries spawned from unusual parents (e.g., %TEMP%\random.exe, wscript.exe, powershell.exe).
• Config divergence: NetSupport gateway configs or ScreenConnect .application URLs pointing to non-org infrastructure.
• Certificate trust anomalies: Non-installer processes writing to TrustedPublisher or ROOT stores.
• Network: Outbound connections from known remote-access processes to new/unexpected IPs.

Cross-references

• netsupport-inno-dropper — Inno Setup masquerade variant
• connectwise — ClickOnce certificate bootstrap variant
• clickonce-certificate-trust-bootstrap — Specific technique for the ConnectWise variant
• ATT&CK: T1219 — Remote Access Software