If the link is clicked, the target is directed to a malicious website, hxxps://micronetmx[.]com/Docs, that automatically downloads an executable called “Docx_xlxs-rqs[.]exe.” Clicking on the “Open file” link installs the LogMeIn Resolve RMM tool, allowing threat actors to remotely control the compromised device. Further analysis reveals that the executable file performs various tasks, including establishing persistence, checking the BIOS and system information in the registry, reviewing the system for installed applications, and dropping files into the System32 directory. The malicious use of RMM tools and weak organizational IT policies can lead to unauthorized access, persistent backdoor access, lateral movement to critical systems and cloud accounts, the deployment of other malware and ransomware, and data leakage.
Recommendations
- Exercise caution with communications from known senders or legitimate platforms.
- Confirm requests from senders via contact information obtained from verified and official sources before taking action, such as clicking on links or opening attachments.
- Navigate directly to legitimate websites and verify before submitting account credentials, providing personal or financial information, or downloading files.
- Enable multi-factor authentication (MFA) and keep systems and browsers up to date.
- If victimized, disconnect from the internet and run anti-virus/anti-malware scans.
- If sensitive information was entered, change passwords for compromised accounts, monitor for unauthorized activity, and review the Identity Theft and Compromised PII NJCCIC Informational Report for additional recommendations and resources, including credit freezes and enabling MFA on accounts.
- Review Docusign’s webpage for additional security concerns, recommendations, and reporting.
- Report malicious cyber activity to the NJCCIC and the FBI's IC3.
