{"id":3116,"date":"2021-08-30T13:07:04","date_gmt":"2021-08-30T11:07:04","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=3116"},"modified":"2026-06-08T22:33:27","modified_gmt":"2026-06-08T22:33:27","slug":"atera-rmm-abused-backdoor","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/emerging-threats\/atera-rmm-abused-backdoor\/","title":{"rendered":"Atera software abused as a backdoor during Cyber-Attack"},"content":{"rendered":"\n

The Atera<\/a> software is deployed for remote system control and monitoring from a single console. Recently, the team at AdvIntel<\/a> identified the use of the Atera agent as a backdoor<\/strong> during system compromises by Conti Ransomware<\/strong> and the criminal group Wizard Spider<\/strong>; this enabled threat actors to circumvent stringent security controls.<\/p>\n\n\n\n

Wizard Spider and Conti Ransomware<\/h2>\n\n\n\n

WIZARD SPIDER<\/strong> is a criminal group focused on the development and distribution of a sophisticated toolkit enabling execution of varied operations. The group was identified in September 2016 with their Banking Trojan<\/strong> known as TrickBot<\/strong>. Their operations shifted significantly when in August 2018 they began executing ransomware attacks using the malware families Ryuk<\/strong> and Conti<\/strong>.<\/p>\n\n\n\n

Conti<\/strong> is a multi-threaded and highly efficient ransomware deployed in operations targeting large-scale enterprises. The ransomware name derives from the extension appended to encrypted files (.CONTI<\/strong>) and the filename containing the ransom note (CONTI_README.txt<\/strong>). The ransomware encrypts files using a combination of AES-256<\/strong> and RSA-4096<\/strong> encryption algorithms via Windows CryptoAPI<\/strong>.<\/p>\n\n\n\n

Atera as Backdoor<\/h2>\n\n\n\n

Following deployment of a CobaltStrike<\/strong> beacon, we observed two operational modalities:<\/p>\n\n\n\n

The first consists of command execution for download and execution of the Atera agent MSI installer via official APIs. For download and installation of the trial version, an email address registered by the attacker is supplied. We identified Protonmail<\/strong> and Outlook<\/strong> addresses.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

The second modality involves uploading the agent installer exported from the Atera management console via CobaltStrike’s upload<\/strong> command, followed by installation.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Through the Atera agent, commands can be executed using the dedicated console. Additionally, Atera supports integration of multiple remote control software solutions, including TeamViewer<\/strong>, AnyDesk<\/strong>, Slashtop<\/strong>, and ScreenConnect<\/strong>.<\/p>\n\n\n\n

The use of legitimate remote control software ensures that attacker actions are not flagged by endpoint protection systems present on machines. This renders identification of malicious presence within a system substantially more difficult. Effective Managed Detection and Response<\/a> capabilities become critical to detect anomalous behavior patterns across legitimate tooling.<\/p>\n\n\n\n

The applicable mitigation strategy involves implementing blacklists<\/strong> to block remote control software not explicitly permitted by organizational policy and monitoring software already present in infrastructure to identify anomalous activity. Continuous behavioral analysis of legitimate administrative tools remains essential to distinguish authorized operations from compromise activity.<\/p>\n","protected":false},"excerpt":{"rendered":"

Threat actors weaponising Atera RMM agent for unauthorised remote access: living-off-the-land patterns, telemetry signals and post-compromise operator behaviour.<\/p>\n","protected":false},"author":1,"featured_media":3126,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[1673,1675,3170,1443,3172,3169,3171,1677,1679],"class_list":["post-3116","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-emerging-threats","tag-anydesk-it","tag-atera-it","tag-living-off-the-land","tag-ransomware-it","tag-remote-access","tag-rmm-abuse","tag-t1219","tag-teamviewer-it","tag-wizard-spider-it"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3116","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=3116"}],"version-history":[{"count":3,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3116\/revisions"}],"predecessor-version":[{"id":9858,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3116\/revisions\/9858"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=3116"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=3116"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=3116"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}