Cyber security firm Huntress has spotted a first-of-its-kind case of a popular server monitoring tool being used to install a backdoor in a Windows system.
Researchers at the company observed a threat actor employing the Komari agent to drop a system-level backdoor without using any malicious infrastructure.
“Huntress SOC and Hunt analysts have spent the last two years documenting the steady drift of open-source DFIR and systems-administration tools into the adversary toolbox: Velociraptor, SimpleHelp, Net Monitor for Employees, ScreenConnect, AnyDesk, Nezha, and Atera,” Huntress said in a 30 April blog post.
“Komari is the new entry on that list, and a particularly pointed one, because unlike the other tools in that lineup, Komari does not require any abuse to function as a command-and-control (C2) channel. The control channel ships enabled by default. You do not weaponise it; you just point it at a server you ‘own’ and type an install command.”
What made this particular intrusion possible was the use of stolen VPN credentials, which allowed the threat actor to enable Remote Desktop Protocol, install Komari disguised as a Windows Update Service via NSSM, which then established a persistent WebSocket connection.
In this case, which occurred on 16 April, Huntress was able to contain the incident without any data loss or lateral movement, but other victims may not be so lucky.
“For defenders who don’t catch the install event, the outcome looks very different: a persistent SYSTEM-level command channel they may never fingerprint on network telemetry alone,” Huntress said.
Want to see more stories from trusted news sources?Make Cyber Daily a preferred news source on Google.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.