Datto RMM Exploited in Phishing Attack, Researchers Warn

Security researchers have uncovered an active phishing campaign that abuses Datto’s remote monitoring and management platform, CentraStage, as a command-and-control channel, giving attackers full interactive control over compromised systems while flying under the radar of traditional security defenses.

Phishing campaign delivers remote access trojan via fake files

The campaign, tracked by the Fortra Intelligence and Research Experts (FIRE) team, distributes a Remote Access Trojan through convincing phishing emails disguised as fake Adobe installers, medical documents, and corporate invoices. 

Once a victim manually runs the file, the attacker gains screen-viewing, keyboard and mouse control, file transfer, and command-execution capabilities, all tunneled over the standard HTTPS port 443.

“What sets this operation apart is the strategic choice to run C2 through Datto RMM, a move that demands preparation, resources, and active management of a legitimate account,” the Fortra report states.

Why attackers are abusing Datto RMM for stealth access

The malware doesn’t exploit any software vulnerabilities. Instead, it relies on human error. 

The binary is a simple NSIS installer that installs Datto RMM components to C:\ProgramData\CentraStage, configures a Windows service called CagService with the attacker’s account credentials, and modifies the Run keys in the registry to survive reboots.

Because the traffic blends in with legitimate IT management activity, standard network monitoring and endpoint security solutions are unlikely to flag it as malicious.

“Datto RMM is the latest in a line of legitimate remote management software being abused to support malicious activity and evade detection,” the Fortra report notes.

How organizations can detect and mitigate the threat

Fortra researchers recommend that organizations not using Datto RMM block outbound traffic to 03cc.centrastage.net immediately. 

Security teams should also hunt for the CagService running on endpoints not in their approved IT tooling inventory.

The report advises reporting the AccountUid zin738c0001 to Datto’s parent company, Kaseya, for abuse investigation, and reviewing registry Run keys for unauthorized entries.

“An attacker with an active connection via Datto RMM has full interactive control of the endpoint,” the report warns. “This includes real-time screen viewing, keyboard and mouse input, file system access, and remote command execution.”

Kaseya: RMM abuse is an industry-wide security issue

Kaseya acknowledged the findings but stressed the problem is not unique to its platform.

“Fortra’s report highlights an industry-wide issue with malicious actors utilizing RMM tools to launch phishing attacks and gain unauthorized access to systems,” the company said in a statement appended to Fortra’s report. “While Datto RMM is recognized as an industry-leading RMM solution, it is just one of many such providers experiencing this issue.”

Kaseya said it has implemented enhancements in business practices to mitigate malicious actors leveraging the product, adding that it “continues to work closely with various partners and MSP community stakeholders, including Forta, to identify potential areas of improvement.”