UNC3753 Exploits Screen-Sharing Sessions and RMM Tools to Steal Sensitive Legal Data

Security researchers have uncovered a sophisticated intrusion campaign conducted by UNC3753, a financially motivated threat group targeting legal organizations and corporate entities. Rather than deploying traditional malware, the attackers leveraged screen-sharing sessions, legitimate Remote Monitoring and Management (RMM) tools, and social engineering techniques to gain access to sensitive legal information and confidential business data.

The campaign highlights a growing trend where threat actors abuse trusted administrative tools to blend into normal network activity, making detection significantly more difficult. Once access is established, attackers focus on identifying sensitive documents, privileged communications, intellectual property, and client-related information that can later be leaked or used for extortion.

Threat Actor Profile

Who is UNC3753?

UNC3753 is known for targeting organizations that handle valuable confidential information. Researchers observed the group using legitimate remote administration software instead of custom malware, reducing the likelihood of triggering traditional security controls.

Primary Targets

• Law firms
• Legal service providers
• Corporate legal departments
• Financial organizations
• Professional service firms

Primary Objectives

• Data theft
• Extortion
• Information brokerage
• Intelligence gathering

Initial Access Through Social Engineering

Unlike many ransomware groups that rely on vulnerability exploitation, UNC3753 often gains access through direct interaction with victims.

• Fake IT support requests
• Help desk impersonation
• Remote assistance invitations
• Phishing emails

Victims are convinced to join remote sessions or install legitimate RMM software under the assumption they are receiving technical support.

RMM Tools as an Attack Vector

After gaining initial trust, attackers deploy legitimate RMM software to maintain access.

• Persistent remote access
• File transfer capabilities
• Command execution
• Session monitoring

By leveraging legitimate software, attackers can avoid many traditional malware-based detections.

Data leak portal used by threat actors to advertise stolen information and pressure victims into complying with extortion demands.

Living-Off-The-Land Techniques

UNC3753 relies heavily on legitimate tools already trusted within enterprise environments.

• Remote access software
• File synchronization tools
• Screen-sharing applications
• Cloud storage platforms

Indicators of Compromise (IOCs)

The researchers identified multiple infrastructure indicators associated with UNC3753 operations, including attacker-controlled IP addresses, phishing support domains, and data leak platforms used for victim extortion and disclosure.

Security Recommendations

• Strengthen User Awareness
• Restrict RMM Usage
• Implement MFA
• Monitor Sensitive Data Repositories

The UNC3753 campaign demonstrates how threat actors can successfully compromise organizations without relying heavily on malware. By abusing screen-sharing sessions, legitimate RMM software, and social engineering techniques, attackers gain access to highly sensitive legal information while remaining difficult to detect. Organizations should focus on monitoring remote access activity, restricting unauthorized administrative tools, and strengthening employee awareness to reduce the risk of similar attacks.

About the Author

FHN

Administrator

FirstHackersNews- Identifies Security

Visit Website View All Posts