Greenshot, AnyDesk, TeamViewer, Classroom Spy Pro, ProcDump, and Mimikatz

Greenshot

Greenshot is a lightweight screenshot software tool for Windows (2). The tool is capable of:

• Creating screenshots of a selected area, window, or the full screen
• Annotate, highlight, or obfuscate portions of the grabbed screenshot
• Export the screenshot to a file, a printer, copy to the clipboard, email, and more.

AnyDesk

AnyDesk is a remote desktop application that allows users to remotely access systems and transmit data between devices (3). AnyDesk is a legitimate tool that can run in the cloud or on-premises, making it a versatile tool for IT administrators. The tool is used by many Managed Service Providers (MSPs) to provide remote assistance, system management, and monitoring to their end clients.

TeamViewer

TeamViewer is a remote access and control software that allows users to connect to and control other computers and devices (4). TeamViewer is a legitimate tool used by organizations, as it is capable of assisting with:

• Asset management
• Mobile device management
• Device monitoring
• Endpoint protection

Threat Actor Abuse of Greenshot

Threat actors use the Greenshot tool to collect information from the compromised system — especially screenshotting credentials, sensitive dashboards, databases, and more.

Greenshot is likely an attractive tool for threat actors due to being a legitimate tool and more likely to evade detection.

Threat Actor Abuse of AnyDesk

AnyDesk is an attractive tool for threat actors to maintain persistent access to compromised devices and to evade detection.

Specifically, Blackpoint’s APG has tracked 20 ransomware operations purportedly using AnyDesk, including:

• Akira
• Black Basta
• BlackSuit

Threat Actor Abuse of TeamViewer

Threat actors often find TeamViewer and similar tools an attractive target for use during cyberattacks (5), due to:

• The access these types of tools provide
• The ability to remain undetected and blend into normal traffic
• The potential for persistent access to compromised networks

Blackpoint’s Adversary Pursuit Group (APG) predicts that threat actors will very likely continue to use RDP for initial access and abuse remote management tools such as TeamViewer, AnyDesk, and Greenshot over the next 12 months.

This assessment is based on internal Blackpoint observed attacks, such as incidents on:

• March 14, 2024, involving a Consumer Cyclicals partner (6); and
• June 09, 2024, involving an Industrials partner (7)

The APG’s assessment is further supported by external reports from other research teams recording threat actor abuse of legitimate tools, including AnyDesk and TeamViewer. For example:

• In February 2023, Proofpoint security researchers reported that a threat group, TA866, targeted organizations in the U.S. and Germany with a new Screenshotter malware, similar to the Greenshot legitimate tool, to perform surveillance and data theft (8).
  • TA866 reportedly exfiltrated screenshots of the victims’ systems and analyzed them to determine if the target was valuable enough for further compromise.
• In June 2024, TeamViewer reported that they had been the victim of a cyberattack attributed to the Russia-linked APT29 threat group (9).
  • While the company reported that the incident was contained to their internal corporate IT environment and did not affect customer data or their product environment, the incident highlights how threat actors both use legitimate tooling and target the tooling organization specifically, likely in an attempt to target customers via supply chain attack.
• In August 2024, Silent Push security researchers reported an ongoing campaign targeting banks in the U.K. via social engineering attacks to deploy AnyDesk software (10).
  • Threat actors reportedly used social engineering, spoofed websites, and phishing attacks to lure victims into downloading AnyDesk software via a generic online help link.

Blackpoint’s APG recommends the following remediations and mitigations for threat actor use of RDP for initial access and remote management tool abuse in your environment.

• Run employee security training as a strong “insurance policy” of sorts for your most exposed security liabilities: your end users. They must repeatedly be exposed to what basic phishing and malvertising lures look like, and be more cautious about opening email attachments or clicking on sponsored ads in search results. Employee training should also include how and when to report incidents to an incident response authority.
  • Previous incidents involving the use of legitimate remote management software have been initiated via social engineering attacks. Exposing employees to frequently observed social engineering tactics can aid in providing them with the awareness and knowledge to identify such tactics.
• Provide a dedicated software center to guarantee employees can easily access the applications and updates required for their jobs from a safe and monitored location, so they don’t “go rogue” and accidentally download malware from a malvertising or SEO-poisoned instance.
  • Dedicated software centers can also help IT administrators and security professionals identify when unusual or rogue software is downloaded, as there is a “known good” list of software to compare with suspicious applications or files.
• Deploy heuristics-based activity monitoring and remediation, which can help detect malicious behavior patterns lurking within allowlisted applications or protocols, ensuring your environment remains secure even in the face of previously unknown exploitations or malicious scripts.
  • Threat actors have often abused legitimate tools in an attempt to blend in with normal traffic, as they did during this instance with Greenlight, TeamViewer, and AnyDesk. This type of detection can help identify when unusual software has been installed and prevent threat actors from successfully completing malicious actions.
• Regularly audit both the environment and endpoints for what “normal” user activity looks like, identify old and unused credentials or authorizations, and account for possible “shadow IT.” Such audits should also ensure the application and enforcement of all technical and administrative controls throughout your organization.
  • This incident involved the use of a screenshot tool, Greenshot, which has not been commonly observed in widely reported cyberattacks. Regularly auditing the environment can help quickly identify unusual but legitimate software installed on endpoints and remove them before successful execution.

Classroom Spy Pro is a classroom management software that allows users to monitor and control students’ computers (18). The software has the capability to conduct a variety of actions, including:

• Share a screen with the school remotely,
• Control computers,
• Limit the internet usage; and
• Block applications.

Classroom Spy Pro is specifically designed to monitor student computer activity within an educational setting. These monitoring and screen recording capabilities put this software alongside multiple other legitimate tools frequently abused by threat actors for monitoring victim activity, such as ScreenConnect (AKA ConnectWise) (19).

There is a roughly even chance that threat actors are testing or experimenting with abusing classroom software such as Classroom Spy Pro to monitor the activities of victims, deploy malware, and steal sensitive information.

Blackpoint’s Adversary Pursuit Group (APG) predicts a roughly even chance likelihood that threat actors will actively use Classroom Spy Pro for information theft over the next 12 months.

The APG’s assessment is based primarily on external reports from other research teams. For example:

• In July 2024, Microsoft security researchers released a report detailing the activities of a threat group, Onyx Sleet, which included the use of malware and tooling that would allow the group to monitor and record victims’ screens and activities (20).

To reiterate, it is the APG’s assessment that there is a roughly even chance that threat actors are testing, experimenting with, and outright abusing classroom software such as Classroom Spy Pro to monitor the activities of victims, deploy malware, and steal sensitive information as a normal part of their threat campaigns.

We will continue to monitor the abuse of all remote monitoring and management tools, regardless of industry vertical or specific software package, to help our partners continue to protect their environments.

Blackpoint’s APG recommends the following remediations and mitigations of threat actor abuse of Classroom Spy Pro for information theft in your environment.

• Enforce multi-factor authentication (MFA) on all user accounts – especially those with privileged access! – to help decrease the chances of undetected credential compromise.
  • The threat actor in this incident utilized a VPN connection to access the victim environment. Requiring the use of MFA can aid in providing an additional layer of authentication and make it more difficult for threat actors to gain initial access to the environment.
• Regularly audit both environment and endpoints for what “normal” user activity looks like, any old and unused credentials or authorizations, and possible “shadow IT” that was previously unaccounted for. Such audits should also ensure the application and enforcement of all technical and administrative controls throughout your organization.
  • During this incident, the threat actor deployed software designed for education institutions to monitor students’ computers. Regularly auditing the environment and endpoints can help identify unusual software or applications that would not normally be used for legitimate actions or that are unapproved.
• Deploy heuristics-based activity monitoring and remediation, which can help detect malicious behavior patterns lurking within allowlisted applications or protocols – and help ensure your environment remains secure even in the face of previously unknown exploitations or malicious scripts.
  • The threat actor in this incident utilized RDP to move laterally within the network. This type of detection can help quickly identify abnormal use of RDP and lateral movement activity before the threat actor can successfully complete an attack.
• Implement application controls, including blocklists and allowlists, to help manage and control software installation by end users to only approved and vetted applications.
  • This incident included the deployment of classroom spy software, which may or may not have been previously deployed or “made sense” to be deployed in this monitored environment. Implementing application controls can aid in preventing unapproved software from being deployed and executed.

ProcDump

ProcDump is a command-line utility designed to monitor applications for CPU spikes and generate crash dumps during a spike that an administrator can use to determine the cause (11).

Additionally, ProcDump can serve as a process dump utility and embedded into other scripts.

Mimikatz

Mimikatz is an open-source tool created in 2007 used to extract sensitive information, such as credentials, from a system’s memory (12). Mimikatz can extract passwords from memory or on-disk password stores, including:

• Plaintext passwords,
• Kerberos tickets, and
• NTLM password hashes.

Threat Actor Abuse of ProcDump

ProcDump is an attractive tool for threat actors due to its command-line capabilities and its legitimacy, which likely aids in evading detection (13).

Blackpoint’s APG has tracked at least 6 ransomware operations and 9 threat groups that have been observed utilizing the ProcDump tool in publicly reported incidents.

Threat Actor Abuse of Mimikatz

Mimikatz is an attractive tool option for threat actors due to its powerful capabilities, and its open-source nature allows for easier modification (14).

Blackpoint’s APG has tracked at least 22 ransomware operations that have used Mimikatz in publicly reported attacks.

Blackpoint’s Adversary Pursuit Group (APG) predicts that threat actors will very likely abuse ProcDump and Mimikatz for credential theft over the next 12 months.

We base this assessment on internal Blackpoint observed attacks, such as this June 03, 2024, incident involving a Consumer Non-Cyclicals partner (13).

The APG’s assessment is augmented by external reports from other research teams related to the malicious use of ProcDump and Mimikatz. For example:

• In May 2024, Microsoft security researchers released a report detailing the TTPs of a North Korea-linked threat actor, Moonstone Sleet (14).
  • Moonstone Sleet had reportedly used legitimate tools, including both ProcDump and Mimikatz, alongside its ransomware deployments as part of their campaign’s tool sets.
• In August 2024, Securonix security researchers reported an ongoing campaign targeting Chinese-speaking users with Cobalt Strike payloads delivered via social engineering attacks (15).
  • The threat actor reportedly used social engineering to gain initial access, deployed Cobalt Strike, and later used Mimikatz to gain control over the environment.

Blackpoint’s APG recommends the following remediations for mitigating threat actor use of ProcDump and Mimikatz for credential access in your environment.

• Enforce multi-factor authentication (MFA) on all user accounts – especially those with privileged access – to help decrease the chances of undetected credential compromise.
  • Mimikatz and ProcDump are often abused to dump credentials; requiring the use of MFA can add an additional layer of security for any accounts.
• Employ least-privilege access controls to ensure that users only have access to the data and resources required to complete their job functions, making it harder for threat actors to move laterally within the infected environment to more desirable targets.
  • The threat actor in this incident gained access to an administrator account to execute credential dumping tools. Implementing least privilege can help ensure that basic user accounts are not able to access processes that would allow threat actors to dump credentials. Additionally, providing separate administrator and user accounts, when possible, helps ensure that employees are not always logged into or accessing administrator-level permissions when not needed.
• Deploy heuristics-based activity monitoring and remediation, which can help detect malicious behavior patterns lurking within allowlisted applications or protocols – and help ensure your environment remains secure even in the face of previously unknown exploitations or malicious scripts.
  • This type of monitoring can help detect abnormal downloads of legitimate software, like ProcDump and Mimikatz, as well as anomalous logins.
• Require the use of secure password managers, disabling plaintext password storage and local password caching to make accessing passwords by threat actors from compromised accounts more difficult.
  • ProcDump and Mimikatz harvest credentials; requiring the use of secure password managers can help provide an additional obstacle for threat actors and help keep credentials confidential.

1. VirusTotal’s Repository: “205.220.129.21” by VirusTotal on 2024-02-05
2. Greenshot’s Website: “Greenshot” by Greenshot on N/A
3. AnyDesk’s Website: “AnyDesk Homepage” by AnyDesk on N/A
4. TeamViewer’s Website: “TeamViewer Homepage” by TeamViewer on 2024-04-25
5. Blackpoint Cyber’s Blog: “Vulnerable RMM Tools and Vulnerable Industries: Why Vigilance is Key” by Blackpoint Cyber on 2024-03-28
6. Blackpoint Cyber’s Blog: “This Week in Review: AnyDesk, TeamViewer, QuickBooks, and IsErIk malware” by Blackpoint Cyber on 2024-03-22
7. Blackpoint Cyber’s Blog: “Potential BianLian Ransomware, TeamViewer, and BitLocker” by Blackpoint Cyber on 2024-06-14
8. Proofpoint’s Blog: “Screentime: Sometimes It Feels Like Somebody’s Watching Me” by Axel F. on 2023-02-08
9. TeamViewer’s Bulletin: “TeamViewer IT security incident” by TeamViewer on 2024-07-04
10. Silent Push’s Blog: “Silent Push tracks threat actor targeting UK banks in ongoing AnyDesk social engineering campaign” by Silent Push on 2024-08-08
11. Microsoft’s Repository: “ProcDump v11.0” by Microsoft on 2022-12-12
12. Deep Instinct’s Blog: “LSASS Memory Dumps are Stealthier than Ever Before” by Asaf Gilboa on 2021-01-24
13. StationX’s Blog: “How to use Mimikatz for Hacking in 2024: The Definitive Guide” by Adam Goss on 2024-05-13
14. Microsoft’s Repository: “HackTool:Win32/Mimikatz” by Microsoft on 2023-11-22
15. Microsoft’s Blog: “Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks” by Microsoft Threat Intelligence on 2024-05-28
16. Securonix’s Blog: “From Cobalt Strike to Mimikatz: A Deep Dive into the SLOW#TEMPEST Campaign Targeting Chinese Users” by Den Iuzvyk and Tim Peck on 2024-08-29
17. Classroom Spy’s Website: “Classroom Spy Pro Homepage” by Classroom Spy on N/A
18. CISA’s Advisory: “Protecting Against Malicious Use of Remote Monitoring and Management Software” by CISA on 2023-01-26
19. Microsoft’s Blog: “Onyx Sleet uses array of malware to gather intelligence for North Korea” by Microsoft Threat Intelligence on 2024-07-25