Hackers Turn Remote Access Tools into Stealthy Backdoors

HP has released its latest threat report for the second quarter of 2024, warning about a growing trend: cybercriminals are abusing legitimate remote access tools such as AnyDesk, TeamViewer, and LogMeIn to establish stealthy backdoors on corporate devices. According to the report, these attacks do not resemble typical intrusions, as the traffic generated by these tools is difficult to distinguish from legitimate use. Hackers also employ fake downloads of popular software (like browser updates or productivity apps) to trick users into installing malware. HP Wolf Security's report analyzed data from millions of endpoints and found that 89% of threats detected in the last quarter were delivered via compressed or Office files, and the use of remote access tools as an attack vector increased by 27% compared to the previous quarter.

What happened?

The technique, known as "living off the land" (LotL), is not new, but its adoption by ransomware groups and advanced persistent threat (APT) actors has grown significantly. Instead of developing custom malware, attackers use legitimate tools already present on systems or that users willingly install. In this case, they exploit digitally signed remote access applications, allowing them to evade traditional signature-based security filters. HP's report highlights that attacks begin with fake downloads: users are redirected to sites mimicking browser update pages (Chrome, Edge) or productivity apps (Microsoft Teams, Zoom), and clicking downloads an installer that deploys malware alongside the legitimate tool. Once installed, the attacker can connect remotely and execute commands, steal credentials, or deploy ransomware. HP identified several active campaigns using this tactic, including one targeting companies in the financial sector in Europe and Latin America.

Why is it important?

This technique represents a significant shift in the threat landscape. Traditionally, backdoors required custom malware that could be detected by antivirus signatures. By using legitimate tools, attackers evade detection because the software is digitally signed and its behavior is considered normal. Moreover, the rise of remote work has increased the use of these tools, giving hackers ample room to camouflage. According to Statista, the remote access software market grew by 15% in 2023 and is expected to reach $6 billion by 2025. This growth provides an expanding attack surface. The consequences can be severe: data theft, ransomware installation, or prolonged espionage without detection. HP's report cites a case where a ransomware group used AnyDesk to maintain persistent access for over six months in a logistics company, extracting customer data before encrypting systems.

Consequences for businesses and users

Organizations must rethink their security strategies. It is no longer enough to trust that legitimate software is safe. IT teams need to monitor the use of remote access tools, apply whitelisting policies, and segment networks to limit lateral movement. Users, on the other hand, should be trained to identify fake downloads and report any suspicious activity. HP recommends implementing behavior-based anomaly detection solutions that can identify unusual patterns even in legitimate traffic. For example, if an employee who never uses TeamViewer suddenly logs in from a foreign IP, it should trigger an alert. Additionally, companies should review their software provisioning policies: only allow installation from corporate repositories and disable unauthorized software installation. The cost of not doing so can be high: according to IBM, the average cost of a data breach in 2024 is $4.88 million, and the average time to identify and contain a breach is 277 days.

What should readers know?

• Remote access tools are a growing attack vector; they should not be ignored in security audits. HP's report shows that 23% of investigated incidents involved remote access software.
• Fake downloads are the primary delivery method; always verify the official software source. HP found that 40% of fake downloads mimic Chrome updates.
• Traditional security solutions may not detect these threats; consider EDR and behavior analysis. EDR tools can detect unusual lateral movements, such as cmd.exe execution from an AnyDesk session.
• User education is key to preventing initial installation. Internal phishing simulations can reduce click rates on fake downloads by up to 70%.

"These attacks do not look like intrusions" — HP Threat Report

HP's report underscores the need for defense in depth, including continuous monitoring, restricted access policies, and ongoing training. As attackers become more sophisticated, companies must anticipate and adapt their defenses. Compared to previous attacks like using PowerShell or WMI for LotL, the abuse of remote access tools represents a qualitative leap, allowing attackers to operate with near-total legitimacy. Collaboration between remote access software vendors and security companies is also crucial: for example, TeamViewer has implemented anomalous usage detection features in its enterprise version. However, the ultimate responsibility lies with organizations, which must treat these tools like any other risk vector and apply appropriate controls.