Threat Analysis: MeshAgent Sleeper RMM and Attempted BDE Key Exfiltration

Initial Information

I wanted to start this off by saying I had never heard of mesh agent previously up until this point. Essentially it is an Open Source RMM tool with a 2010 style UI. It allows for capabilities that many other RMM tools offer which can be used for legitmate purposes aswell as malicious ones.

This post we’re going to go into the attack lifecycle of the attack some lessons learned and key points regarding the initial compromise.

Threat actors are increasingly abandoning custom malware for simple, built in native binaries. This strategy is known as Living off the land (LotL). It turns tools that are used for legitimate administrative purposes against the machine making it hard to detect.

Recently when remediating an incident within an organization we observed the textbook example of this attack chain. The attack used a clever social engineering tactic known as ClickFix with legacy windows protocols to establish persistence, and deploy rogue RMM software on the environment.