Key Points
- CAMO (Commercial Applications, Malicious Operations) highlights attackers’ continuous adoption of legitimate IT tools in response to improving security measures.
- The use of legitimate IT tools can bypass security defenses and mislead security personnel during investigations, leading to successful compromises by adversaries.
- IT tools used in CAMO can spread ransomware, conduct network scanning, move laterally across an environment, and establish command-and-control (C2) operations.
- Organizations should leverage GreyMatter Hunt packages to baseline existing IT tools, identify malicious activity, and implement mitigations.
Between January and August 2024, 60% of all the critical hands-on-keyboard incidents ReliaQuest responded to involved legitimate software to advance adversaries’ objectives—a 16% increase from the same period in 2023. While this percentage was derived as a subset of true-positive incidents that had the potential to result in data breaches, theft, or encryption, the findings are significant.
Most cybersecurity professionals are aware that remote monitoring and management tools are abused by adversaries. However, attackers also leverage other legitimate IT tools, such as software deployment tools, backup utilities, and network scanners at various stages of the attack kill chain to avoid arousing suspicion and evade detection.
This growing misuse of commercial applications poses a significant risk to all organizations, regardless of sector or region. However, this attack methodology is not clearly defined within the cybersecurity industry, leaving enterprises at risk of targeting from opportunistic, financially motivated threat actors.
This report defines the abuse of commercial applications for malicious operations (CAMO), explores related cybercriminal discussions, and showcases real-world intrusions using this technique. Our recommendations help manage the risk posed by CAMO and encourage organizations to incorporate countermeasures into their security programs.
Security teams must recognize this threat to discern attempted deception via CAMO tools, triage incidents accurately, and establish policies and controls to prevent misuse. Additionally, security leaders should establish policies and controls to prevent the misuse of these tools. CISOs should also be aware of this threat to procure resources for effective defense and ensure these abused tools are incorporated into planned penetration tests, red team exercises, and risk assessments to verify detection and response plans.
Defining CAMO
CAMO involves exploiting a legitimate software’s intended functionality, allowing adversaries to further their objectives undetected. The tools abused via CAMO are not associated with penetration testing or native operating system utilities and are typically open source, available with free trial licenses, or distributed as cracked versions of licensed software, illegally modified to bypass restrictions or licensing requirements. The technique has similarities to Living off the Land binaries and scripts (LOLBAS), but there are distinct differences (see Figure 1).
Figure 1: CAMO vs. LOLBAS
Using CAMO tools allows attackers to operate undetected by security tools or analysts for several reasons.
- Legitimate use: These tools serve genuine purposes and often come with valid code-signing certificates, enabling them to bypass security policies requiring signed code.
- Lack of comprehensive inventories: Organizations often lack complete inventories of their tools, making it hard for security teams to distinguish between expected tool usage and those being deployed with malicious intent.
- Mistaken for benign activity: Since these are legitimate tools, security teams may mistakenly conclude the activity is a benign part of normal operations.
This complicates threat detection and response, increases dwell time, and heightens the risk of adversaries achieving objectives like data exfiltration and encryption.
Adversaries’ CAMO Preferences
Threat actors on cybercriminal forums frequently discuss abusing legitimate tools. These conversations offer insights into the types of software adversaries prefer, the tools’ advantages, and how attackers evade detection.
For example, in April 2022, a user on the prominent Russian-language forum “XSS” sought to troubleshoot their attempts to deploy an executable file across an environment using the legitimate software deployment tool PDQ Deploy (see Figure 2). Another forum member suggested distributing the executable through a Group Policy update or with the PSExec utility. The exchange highlights how adversaries integrate these benign IT tools into their operations and adapt to challenges, whether technical difficulties with the tool itself or restrictions within the environment.
Figure 2: Forum user asks for advice on resolving PDQ Deploy issues
In another illustrative post from March 2024, a member of the ransomware-focused forum “RAMP” created a thread titled “Data exfiltration” to share a guide on using the command-line program Rclone to steal data via a cloud account with the Mega storage platform. Responses praised the guide and requested more tutorials. In a separate thread on XSS from October 2023, a user asked, “How to upload large amounts of data and remain undetected on the network?” to which another member suggested using Rclone to sync files to a cloud storage service.
Between September 2023 and August 2024, we observed 22 posts on various criminal forums that requested or shared cracked versions of the SoftPerfect network scanner. In an August 2024 XSS thread titled “nmap binary for Windows or an alternative,” users suggested SoftPerfect as another option for scanning. The SoftPerfect network scanner can accomplish the same tasks as Nmap—including identifying ports, services, and file shares—without appearing to be malicious. In May 2024, an XSS user shared their difficulties purchasing the SoftPerfect license due to the strict documentation requirements, including a passport photo and credit card information. To maintain operational security and avoid creating an evidence trail, forum members offered cracked paid versions and activation key generators for free—a common listing on these sites.
RMM tools like AnyDesk and ScreenConnect are also frequently discussed. An August 2024 RAMP post described using AnyDesk during a “penetration test” and suggested disabling secure logon to ensure successful connections. We often see Initial Access Brokers (IABs) advertising and selling access to organizations’ networks via established connections with RMM tools.
The frequency of CAMO-related discussions on forums evidences the methodology’s popularity among adversaries. The widespread sharing of free or cracked versions of legitimate software lowers the barrier to entry for unskilled attackers who wish to use the technique, enabling them to inflict damaging attacks without committing significant resources.
CAMO in the Wild
The following case studies highlight CAMO techniques used by threat actors in real-life incidents. While each technique could have been executed using other tools like malware, command-and-control (C2) frameworks, or LOLBAS, the adversaries specifically chose these tools to blend in with the environment. This helped them avoid raising suspicion, evade identification by security analysts, and deceive users targeted in social engineering attacks.
Execution: Medusa Spreads Ransomware with PDQ Deploy
In June 2024, ReliaQuest investigated multiple endpoint detection and response (EDR) alerts in a customer environment. We found that a threat actor—likely affiliated with the “Medusa” ransomware group—had gained initial access by compromising a virtual private network (VPN) account. They then obtained additional credentials through either cleartext or hashed passwords from OS memory, cache, or databases, a technique known as credential dumping. Ransomware groups typically leverage Windows operating system utilities like PSExec and WMIC to spread and execute ransomware encryptors. In this instance, Medusa used PDQ Deploy with a compromised administrator account to accomplish the same goal. The attacker likely chose PDQ Deploy to blend in with other PDQ tools that were already present in the environment, such as PDQ Inventory, making the execution and network traffic appear normal and not raise suspicion.
Figure 3: PDQ Deploy interface
PDQ Deploy features a user-friendly interface to install applications or patches on multiple Windows hosts simultaneously. The software includes pre-built packages for common applications and allows for the creation of custom packages for specific applications. The tool is available in a free mode with restricted features and the enterprise version is often shared as a cracked copy. In addition to installing applications on hosts, PDQ Deploy can also execute files such as PowerShell scripts, batch files, and executables.
In this incident, Medusa used PDQ Deploy to spread and execute ransomware, which created the file “!!!READ_ME_MEDUSA!!!.txt” on each affected host. This incident underscores how threat actors are responding to the increasing resilience organizations have developed against ransomware attacks by adapting legitimate tools to accomplish their objectives. In this occurrence, the threat actor identified an IT tool used in the environment and chose to use it to spread ransomware as opposed to other techniques more commonly observed during investigations, such as with PSExec.
Mitigation: Implement Network Segmentation
A defense-in-depth model for segmenting networks is a reliable method to mitigate a ransomware attack.
- Create separate zones using Virtual Local Area Networks (VLANs), firewall rules, Access Control Lists (ACLs), and Network Access Controls (NAC).
- Then, place public-facing services like web and mail servers in Demilitarized Zones (DMZ) and separate administrative and management systems from general user workstations.
- Finally, implement data segregation by isolating intellectual property, financial data, customer information, and other critical data types into specific network segments, ensuring only authorized personnel can access data required for their specific job function.
Organizations using operational technology (OT) for their operations can follow the Purdue Model to segment critical systems from the rest of the network to minimize risk and ensure availability.
Lateral Movement: RMM Tools Installed via Total Software Deployment
In April 2023, ReliaQuest responded to attempted ransomware deployment on several systems in a customer environment. Although less recent, this incident featured a notable lateral movement technique: The attacker downloaded the automated software deployment tool “Total Software Deployment” (TSD) to install the RMM tool ScreenConnect on multiple hosts in the environment. By installing ScreenConnect, the attacker facilitated lateral movement, enabling a connection to any of the compromised hosts with the RMM tool installed.
Figure 4: Total Software Deployment user interface
Like PDQ Deploy, TSD offers a user-friendly interface for deploying applications across an environment. TSD is available with a free 60-day trial or can be purchased, with costs varying based on the number of hosts to which TSD will deploy software. Cracked versions of the software are also distributed on criminal forums.
This incident demonstrates how attackers use software deployment tools not only to execute ransomware but also to deploy tools that facilitate lateral movement, providing access to additional hosts. This extended access allows attackers to exfiltrate data from each host, hindering containment efforts and increasing the risk of total compromise of the Windows domain.
The choice to use both a software deployment tool and an RMM tool highlights the attackers’ understanding of enterprise security measures and their efforts to avoid detection. By leveraging tools commonly used by IT departments, attackers can blend malicious actions into routine network operations. These trusted tools often bypass security systems, making it more challenging for traditional defensive measures to identify their misuse.
This incident demonstrates how CAMO tools can hinder detection and blocking mechanisms, as well as security analyst investigations. By using ScreenConnect for lateral movement instead of malware or C2 beacons, attackers make their actions appear legitimate, complicating the task of identifying and responding to the threat. This can enable swifter compromise of and impact to the entire environment in the form of data exfiltration and subsequent encryption for extortion.
Mitigation: Application Whitelisting
In this instance, the threat actor downloaded TSD and ScreenConnect, introducing unfamiliar applications to the environment. Implementing application whitelisting for only authorized IT tools can mitigate the use of CAMO tools downloaded to the environment. To identify expected software, conduct baselining with GreyMatter Hunt packages and enforce acceptable use policies with defined applications.
Options for whitelisting include Windows Defender Application Control (WDAC), AppLocker, Microsoft’s “Intune” Endpoint Manager, or third-party software. Rules can be created to define authorized software based on digital signatures of publishers, directory paths, file hashes, certificates, and filenames.
Discovery and Exfiltration: Inc Ransom Uses SoftPerfect NetScan and Restic
In April 2024, ReliaQuest responded to a customer extortion attempt by the “Inc Ransom” ransomware group. The attacker exploited a public-facing endpoint management server (EMS) SQL injection vulnerability, facilitating initial access. To establish C2, they installed the RMM tool AnyDesk on the compromised server. Our investigation revealed that the threat actor then downloaded and executed the network scanning tool SoftPerfect on the compromised host. SoftPerfect can be used to discover active systems in environments and identify open ports to determine the services running on hosts. SoftPerfect also integrates with Nmap and can be used for vulnerability scanning. This provides adversaries with valuable information about the network, enabling them to move laterally to other hosts and exploit vulnerabilities.
The SoftPerfect Network scanner is available with a free trial license that will only display a maximum of ten scanned devices. During scans, network shares are also listed and accessible through the tool. We have observed threat actors attempting to buy this software and sharing freely cracked versions on cybercriminal forums, showcasing the demand for this tool, likely due to the strict limitations of the free trial version.
Figure 5: SoftPerfect network scanner interface
The attacker then downloaded the backup utility “Restic” and renamed it as “winupdate.exe.” The renamed Restic utility was executed to exfiltrate files to an attacker-controlled server. This renaming tactic indicates the attacker’s effort to evade detection by making the tool appear as a legitimate Windows update executable. Renaming Restic to “winupdate.exe” aimed to avoid raising suspicion from the impacted user, IT staff, or security personnel. Additionally, instead of downloading a malicious port scanning tool that would be detected or routing port scanning traffic through the compromised host with tools like Metasploit Autoroute or Proxychains (which would appear suspicious), the attacker used legitimate tools.
By utilizing the SoftPerfect network scanner, attackers can obtain information about the internal network. The use of the scanner may blend into the environment due to the tool on the surface appearing to be safe and used by administrators. Alternatively, using known malicious network scanners such as Nmap or a PowerShell script may raise suspicion. Furthermore, using a backup utility can evade detection and appear to be normal traffic when the destination is a cloud storage location.
Mitigation: Protect Against Data Exfiltration to the Cloud
To protect against data exfiltration, block unauthorized cloud services at the network level, including Mega, Google Drive, Dropbox, OneDrive, Box, and Amazon S3, among others. Blocking each cloud provider can be cumbersome; an alternative is to block all cloud services by category and allow only expected services. For example, Cisco Umbrella categorizes cloud services as “Cloud Storage,” which can be blocked in the application settings, with expected cloud services added to an allowlist. Additional measures can be taken, such as application whitelisting for authorized backup utilities, monitoring for access to restricted data, and implementing “canary files” to detect when access occurs to sensitive locations.
C2: Black Basta Social Engineering with RMM Tools
In May 2024, ReliaQuest identified a new mass social engineering campaign orchestrated by the “Black Basta” ransomware group. The attack began with the group registering users’ email addresses for various newsletters and mailing lists, causing a flood of spam emails. The threat actors then contacted the affected users, impersonating IT support personnel and persuading them to download remote access software tools like Quick Assist or AnyDesk, under the pretense of resolving the spam email issue.
Black Basta likely chose these specific tools to lend credibility to their impersonation of IT staff and avoid raising suspicion by the targeted users. This tactic illustrates how threat actors leverage legitimate tools and social engineering to gain access to systems, making their malicious activities appear as regular IT support interactions. Conversely, if users were prompted to download a malicious executable or PowerShell script, it could arouse suspicion and trigger detections by security tools.
Figure 6: AnyDesk user interface
AnyDesk is available for free or with licenses that offer additional features for increasing fees. The software allows connections to remote systems either by sending a session invitation or by a remote user providing the AnyDesk ID. Paid features include the ability to hide screen contents from the remote user and manage additional devices. We observed Black Basta using AnyDesk to download malicious files to targeted users’ hosts and capture credentials.
This incident showcases the adoption of legitimate IT tools to deceive users in social engineering attacks. Employees in organizations are familiar with receiving IT support via RMM tools and are comfortable with this method, making it easier for them to unknowingly be misled by a social engineering attack disguised as legitimate support. This campaign highlights Black Basta’s careful consideration in choosing tools that not only deceive security teams but also avoid arousing suspicion from targeted employees by appearing as legitimate IT support personnel.
Mitigation: Permit Only Authorized RMM Tools
After establishing a baseline for expected RMM tools, block access to all unauthorized RMM tool vendors. This can be done individually via a blocklist or by using categories such as the “remote-access” subcategory in Palo Alto. Ensure expected RMM tools are on the allowlist. Further restrict the usage of RMM tools by allowlisting traffic from only approved geographic locations. If a managed service provider (MSP) is used, collect and add authorized IP addresses from the provider to the allowlist.
Threat Forecast
Given the observed usage of these tools in various incidents and their frequent discussions on criminal forums, it is almost certain that the adoption of CAMO by adversaries will persist in the long term (beyond one year). Adversaries will likely continue to use commonly abused legitimate tools, such as AnyDesk and PDQ Deploy, while continually assessing and adopting new legitimate IT tools such as RMM, software deployment, and network scanners. Financially motivated threat actors such as ransomware groups will remain the primary users of legitimate IT tools for malicious activity. These groups need to evade detection, deploy ransomware quickly, and benefit from the cost-effectiveness of these tools. In contrast, nation-state groups such as “Cozy Bear” (“APT 29”) are likely to integrate legitimate behavior into custom malware, such as “CloudDuke,” which uses a Microsoft OneDrive account for exfiltration. Nation-state groups have broader objectives, access to advanced capabilities, and substantial funding, allowing them to incorporate sophisticated tools into their operations.
What ReliaQuest is Doing
To identify the malicious use of commercial software, ReliaQuest offers detection rules via ReliaQuest GreyMatter. To remediate such actions, associated respond playbooks can be executed by ReliaQuest customers or by the ReliaQuest team on the customer’s behalf. For faster containment and remediation, some response actions can be automated, such as blocking unauthorized remote software.
Baselining with GreyMatter Hunt
The use of CAMO tools in an intrusion complicates analyst investigations, making it difficult to differentiate between authorized tools, benign tools that are unaccounted for, and tools being actively leveraged by adversaries. To support informed investigations, organizations should leverage GreyMatter Hunt to establish a baseline of existing tools in their environment. This enables security teams to distinguish between authorized, expected tools, and those that are unauthorized. Once expected IT tools are established, restrict the usage of these tools to only authorized users. For example, AppLocker rule behavior can be configured to allow only specific users or groups to use an application. Adversaries may discern what IT tools are allowed and attempt to only use these tools to bypass whitelisting.