Breaking

Copy/Paste Technique Used to Deliver XWORM PDF Lure Delivering GoTo (LogMeIn) RMM Unsuccessful Crypto Phishing Attempt on Me SVG Capabilities and Behaviors Updated LandUpdate808 Analysis

Malasada Tech

Da Samala Tech blogs on malware and stuffs

Threat Intelligence

PDF Lure Delivering GoTo (LogMeIn) RMM

By Aaron Samala #, #, #, #, #

This documents chrunting for delivery sites that connect to api.telegram[.]org, finding a malicious GoTo RMM, and developing masq-monitor and Snort/Suricata detections.

Tactical Pause

THE CONTENT, VIEWS, AND OPINIONS EXPRESSED ON THIS DOCUMENT ARE MY OWN AND DO NOT REFLECT THOSE OF MY EMPLOYER OR ANY AFFILIATED ORGANIZATIONS. ALL RESEARCH, ANALYSIS, AND WRITING ARE CONDUCTED ON MY PERSONAL TIME AND USING MY OWN PERSONALLY-ACQUIRED RESOURCES. ANY REFERENCES, TOOLS, OR SOFTWARE MENTIONED HERE ARE LIKEWISE USED INDEPENDENTLY AND ARE NOT ASSOCIATED WITH, ENDORSED, OR FUNDED BY MY EMPLOYER.

The Flow

I was searching for urlscan.io tasks that called out to api.telegram[.]org. I found this interesting bunch that presents a fake PDF-downloaded landing, and then serves the GoTo (LogMeIn) RMM as “Invoice_INV-00764-Q2-StrategicServices-2025.pdf.exe”. I thought it was interesting because the Telegram Bot is configured to send “#———[ Malware Downloaded ]———–#”.

You can monitor this with the following urlscan.io query: filename:”success.html” AND domain:vercel.app

https://urlscan.io/search/#filename%3A%22success.html%22%20AND%20domain%3Avercel.app

You can view the Any Run Session here:

https://app.any.run/tasks/6e658873-ba9c-468a-9a3c-6af08414f773

It’s nothing too crazy. One thing that I noticed is that the GoTo installer communicates with dumpster.console.gotoresolve[.]com. I’d like to improve my Snort and Suricata writing abilities, so I spent a few hours figuring out how to get Snort and Suricata running on a VM, and replaying the Any Run PCAP with tcpreplay.

I’ve got the Snort and Suricata rules written below. I’ve confirmed they work with the current versions of Snort and Suricata. I’ve got the masq-monitor config below. At some point, I’ll push it to main. You can try my masq-monitor app here: https://github.com/MalasadaTech/masq-monitor.

Here’s what the masq-monitor report looks like.

masq-monitor

masq-monitor config.yaml config for the monitoring query:

  logmein-hash-sp:
    days: 7
    default_tlp_level: clear
    description: This report shows one subset of sites deliverying LogMeIn RMM.
    description_tlp_level: clear
    frequency: Daily
    frequency_tlp_level: green
    last_run: '2025-05-11T05:01:58.455250'
    notes:
    - text: LogMeIn RMM
      tlp_level: clear
    platform: urlscan
    priority: High
    priority_tlp_level: green
    query: filename:"success.html" AND domain:vercel.app
    query_tlp_level: red
    references:
    - tlp_level: green
      url: https://github.com/MalasadaTech/defenders-threatmesh-framework
    tags:
    - RMM
    tags_tlp_level: green
    titles:
    - title: LogMeIn RMM Cluster
      tlp_level: clear

Snort

alert tcp any any -> any 53 (
    msg:"Suspicious TCP DNS Query for dumpster.console.gotoresolve.com";
    service:dns;
    content:"|08|dumpster|07|console|0B|gotoresolve|03|com|00|";
    sid:1000001;
    rev:1;
)

alert tcp any any -> any 443 (
    msg:"TLS SNI detected for dumpster.console.gotoresolve.com";
    flow:to_server,established;
    service:ssl;
    content:"dumpster.console.gotoresolve.com";
    sid:1000002;
    rev:4;
)

alert udp any any -> any 53 (
    msg:"Suspicious DNS Query for api.telegram.org";
    service:dns;
    content:"|03|api|08|telegram|03|org|00|";
    sid:1000003;
    rev:1;
)

alert tcp any any -> any 443 (
    msg:"TLS SNI detected for api.telegram.org";
    flow:to_server,established;
    service:ssl;
    content:"api.telegram.org";
    sid:1000004;
    rev:4;
)

Suricata

alert dns any any -> any any (msg:"LogMeIn Goto Domain - DNS Query dumpster.console.gotoresolve.com"; dns.query; content:"dumpster.console.gotoresolve.com"; nocase; sid:1000010; rev:1;)
alert dns any any -> any any (msg:"LogMeIn Goto Domain - DNS Query gotoresolve.com"; dns.query; content:"gotoresolve.com"; nocase; sid:1000011; rev:1;)
alert tls any any -> any any (msg:"LogMeIn Goto Domain - TLS SNI dumpster.console.gotoresolve.com"; tls.sni; content:"dumpster.console.gotoresolve.com"; nocase; sid:1000012; rev:1;)
alert tls any any -> any any (msg:"LogMeIn Goto Domain - TLS SNI gotoresolve.com"; tls.sni; content:"gotoresolve.com"; nocase; sid:1000013; rev:1;)
alert dns any any -> any any (msg:"Telegram API Domain - DNS Query api.telegram.org"; dns.query; content:"api.telegram.org"; nocase; sid:1000014; rev:1;)
alert tls any any -> any any (msg:"Telegram API Domain - TLS SNI api.telegram.org"; tls.sni; content:"api.telegram.org"; nocase; sid:1000015; rev:1;)


 

By Aaron Samala

Related Post

Threat Intelligence

Silent Push to find SmartApeSG, LandUpdate808, and TA582 Infra

Aaron Samala
Lumma Stealer Threat Intelligence

Lumma Stealer Delivered via YouTube Videos for Cheats

Aaron Samala
ClickFix Threat Intelligence

ClickFix Baddys via RussianPanda’s Workflow

Aaron Samala

Leave a Reply

Your email address will not be published. Required fields are marked *

You Missed

CopyPaste

Copy/Paste Technique Used to Deliver XWORM

Threat Intelligence

PDF Lure Delivering GoTo (LogMeIn) RMM

Phishing

Unsuccessful Crypto Phishing Attempt on Me

Malware Research Phishing

SVG Capabilities and Behaviors