Hackers deploy TMChecker RAT to target popular VPN and mail servers

A new tool discovered on the Dark Web indicates a change in cybercriminal tactics for illicitly accessing corporate networks.

TMChecker, recently uncovered by ReSecurity, is engineered to target remote-access services and prominent e-commerce applications, blending login checking capabilities with a brute-force attack toolkit.

TMChecker, crafted by a threat actor dubbed “M762” on the XSS cybercrime forum, is offered on a monthly subscription basis for $200.

According to a report by ReSecurity, TMChecker goes beyond its counterparts like “ParanoidChecker,” targeting corporate remote access gateways, which are often primary intrusion vectors for ransomware infections and other high-level attacks.

It supports 17 different services, including various VPN solutions, enterprise mail servers, database management tools, and e-commerce platforms.

Hackers deploy TMChecker RAT

A notable incident involving TMChecker targeted an email server of a government organization in Ecuador (gob.ec). This event highlights the tool’s effectiveness in compromising valid credentials to corporate VPN and email accounts, which can be utilized by ransomware operators and initial access brokers (IABs).

The black-hat developer behind TMChecker, M762, manages a Telegram channel with over 3,270 subscribers. Although it’s uncertain how many of these subscribers are active customers, the channel’s following sheds light on the profitability of this adversarial Software-as-a-Service (SaaS) model.

TMChecker targets a wide range of systems, including VPN gateways, hosting administration panels, and e-commerce engines like Magento and PrestaShop. This broad spectrum of targets highlights the tool’s versatility and potential to compromise various systems, making it a valuable asset for cybercriminals.

The emergence of TMChecker aligns with the rise in human-operated ransomware attacks, as reported by Microsoft. These attacks involve the active abuse of remote monitoring and management tools, enabling hackers to leave behind less evidence compared to automated attacks.

The trend is expected to persist in 2024, with ransomware actors aiming to maximize returns by collaborating with multiple gangs.

The emergence of TMChecker poses a significant threat to organizations, especially in the context of corporate mergers and acquisitions (M&A). With the tool’s capacity to reduce the barriers to entry for cybercriminals, the private sector must enhance its cyber-due diligence processes.

As cybercriminals refine their tools for remote access compromise, organizations must stay vigilant and proactive in their cybersecurity efforts to counter these evolving threats.