EXECUTIVE SUMMARY
Threat actors have been observed using a lesser-known remote monitoring and management (RMM) tool called Tiflux in a growing number of attacks against various organisations. The threat actors behind these incidents aim to establish persistence, transmit screenshots, and run commands to collect system profiling information, ultimately leading to unauthorized access and credential theft. Tiflux is being used in conjunction with other RMMs, including UltraVNC, Splashtop, and ScreenConnect, to form webs of persistent access to compromised internal devices. The threat actors continue to test and weaponize the use of commercial remote access management tools, making it increasingly difficult for organisations to detect and respond to these types of attacks.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
Threat actors have been observed using a lesser-known remote monitoring and management (RMM) tool called Tiflux in a growing number of attacks against various organisations. The threat actors behind these incidents aim to establish persistence, transmit screenshots, and run commands to collect system profiling information, ultimately leading to unauthorized access and credential theft. Tiflux is being used in conjunction with other RMMs, including UltraVNC, Splashtop, and ScreenConnect, to form webs of persistent access to compromised internal devices. The threat actors continue to test and weaponize the use of commercial remote access management tools, making it increasingly difficult for organisations to detect and respond to these types of attacks.[emaillocker id="1283"]
The Tiflux installer, which is cryptographically signed by Tiflux Sistema de Gesta–o LTDA, contains various components of the RMM, including TiAgent and TiPeerToPeer. The installer also includes outdated and suspicious components, such as a vulnerable HwRwDrv.sys driver associated with privilege elevation and signed with long-expired certificates. Once the target installs the Tiflux agent, the threat actor behind the campaign uses a capability in Tiflux to push down ScreenConnect and/or Splashtop to the target's computer. The two RMMs then connect to the servers used to manage them, transmit screenshots, and run commands to collect system profiling information and interrogate the operating system.
The use of Tiflux in these attacks is a concerning trend, as it allows threat actors to gain remote access to a target's machine and establish persistence. The outdated and suspicious components included in the installer increase the risk beyond simple remote access alone. Organisations should be aware of the potential risks associated with using commercial RMM tools and take steps to detect and prevent these types of attacks. This includes regularly auditing authorised RMMs, reviewing logs for RMM activity, and implementing strict application controls to block unauthorized software.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1566.002 | Phishing | Spearphishing Link |
| Persistence | T1543.003 | Create or Modify System Process | Windows Service |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation | — |
| Defense Evasion | T1562.001 | Impair Defenses | Disable or Modify Tools |
| Credential Access | T1552.001 | Unsecured Credentials | Credentials In Files |
| Discovery | T1082 | System Information Discovery | — |
| Lateral Movement | T1021.004 | Remote Services | SSH |
| Collection | T1113 | Screen Capture | — |
| Command and Control | T1095 | Non-Application Layer Protocol | — |
REFERENCES:
reports contain further technical details:
https://www.huntress.com/blog/tiflux-rmm-install