On Monday 3 March 2025, Luxembourg’s Financial Sector Supervisory Commission (Commission de surveillance du secteur financier - CSSF) announced that it had recently become aware of a malspam (malicious spam containing hyperlinks to download malware) attack, targeting businesses through fraudulent emails, that exploit Remote Monitoring and Management (RMM) tools, resulting in fraudulent Multiline transactions.

The CSSF added that the Computer Incident Centre Luxembourg (CIRCL) published a technical report on this subject, including recommendations and preventative advice. The CSSF has strongly recommended that all supervised entities concerned take note of the CIRCL report and take actions as appropriate.

In the report, CIRCL outlined that the attackers deceive recipients into clicking a link, disguised as an invoice, which installs a RMM tool on their system. Since these tools are legitimate applications, they evade antivirus detection, granting attackers full remote access.

CIRCL advised that once access is gained, the attackers escalate their control by installing additional RMM tools for persistence, spreading malware via email, and modifying system settings. Critically, they exploit the compromised workstation, often belonging to accountants or financial officers, to capture smart card PINs and execute fraudulent wire transfers, resulting in significant financial losses.

CIRCL added that preventing such malspam attacks in a corporate environment requires a multi-layered security approach. Prevention strategies, discussed in detail in the report, include: email security measures; user awareness and training; endpoint protection and network security; email authentication and domain protection; access control and least privilege principle; (general) secure software and patch management and incident response and monitoring.

The report also outlined the actions that should be taken during a compromise, mitigation strategies, as well as remediation after a compromise.

The full report is available at: https://circl.lu/pub/tr-93/

HOM