TrustConnect is a sophisticated remote access trojan (RAT) offered as a malware-as-a-service (MaaS) that impersonates legitimate remote monitoring and management (RMM) software. It is marketed via a fake business website that serves as both the command and control (C2) infrastructure and the MaaS portal. For $300 per month, customers gain access to a web-based C2 dashboard, automated payload generation with digital signatures to evade detection, and remote desktop control features. The malware is primarily distributed through targeted email campaigns, often bundled with or mimicking legitimate RMM tools to increase trust and evade suspicion. Proofpoint researchers have linked the TrustConnect creator to prior users of the Redline stealer, suggesting a well-established cybercriminal network behind this operation. The malware abuses the trust placed in RMM tools, which are commonly used by IT administrators for legitimate remote access and management, thereby complicating detection and response. Indicators of compromise include multiple malicious domains and IP addresses hosting payloads, as well as specific file hashes associated with the malware. Although no CVE or known exploits in the wild are reported yet, the malware’s capabilities allow attackers to remotely control infected systems, exfiltrate data, and potentially move laterally within networks. This MaaS model lowers the barrier to entry for cybercriminals, fueling the ongoing evolution of cybercrime and the abuse of trusted IT management tools.

The TrustConnect RAT poses a significant threat to organizations worldwide by enabling attackers to gain persistent, stealthy remote access to compromised systems. Its masquerade as legitimate RMM software increases the likelihood of successful infection and reduces suspicion by IT staff. Once deployed, attackers can exfiltrate sensitive data, deploy additional malware, conduct espionage, and move laterally within corporate networks. The use of digitally signed payloads and a professional MaaS portal enhances operational security for attackers, complicating detection by traditional security tools. The distribution via email campaigns alongside legitimate RMM tools increases the risk of widespread compromise, especially in organizations that rely heavily on remote management solutions. The malware’s link to Redline stealer users suggests potential for credential theft and further exploitation. Overall, TrustConnect can lead to data breaches, operational disruption, financial loss, and reputational damage. The MaaS model also means that a broad range of threat actors, including less skilled ones, can leverage this tool, increasing the volume and diversity of attacks.

Organizations should implement multi-layered defenses specifically tailored to detect and prevent RMM tool abuse. This includes: 1) Strictly verifying the authenticity of all remote management software and their sources before installation, avoiding downloads from untrusted domains or links. 2) Employing advanced email filtering and phishing detection to block malicious campaigns distributing TrustConnect payloads. 3) Monitoring network traffic for connections to known malicious domains and IP addresses associated with TrustConnect C2 infrastructure, using threat intelligence feeds to update detection rules. 4) Implementing application allowlisting to prevent unauthorized execution of unknown or suspicious MSI installers and payloads. 5) Enforcing least privilege principles for remote access tools and regularly auditing their usage and configurations. 6) Utilizing endpoint detection and response (EDR) solutions capable of identifying anomalous remote desktop activity and suspicious process behaviors related to RATs. 7) Educating IT and security teams about the risks of RMM abuse and indicators of TrustConnect infection. 8) Regularly updating and patching all software to reduce attack surface. 9) Employing multi-factor authentication (MFA) for all remote access portals to reduce risk of credential compromise. 10) Conducting threat hunting exercises focused on detecting RMM tool misuse and lateral movement patterns.