2 min read

RDP Abuse and Swiss Army Knife Tool Used to Pillage, Encrypt and Manipulate Data

Liviu ARSENE

December 18, 2019

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
RDP Abuse and Swiss Army Knife Tool Used to Pillage, Encrypt and Manipulate Data

Bitdefender researchers recently found threat actors abusing a legitimate feature in the RDP service to act as a fileless attack technique, dropping a multi-purpose off-the-shelf tool for device fingerprinting and for planting malware payloads ranging from ransomware and cryptocurrency miners to information and clipboard stealers.

The attack vector involves the Windows Remote Desktop Server. The RDP client has the ability to share a drive letter on their machine, which acts as a resource on the local virtual network. Attackers were able to use the shared directory as a very simple data exfiltration mechanism over the RDP protocol. By using an off-the-shelf component placed on the “tsclient1” (Terminal Server Client) network location, attackers could execute it using either “explorer.exe” or “cmd.exe” and use it to download additional malware.

The “worker.exe” component provides a vast array of capabilities, mainly for data gathering. It features capabilities ranging from collecting system information (e.g. architecture, CPU model and core count, RAM size, Windows version etc.) to taking screenshots, collecting the victim’s IP address and domain name, pulling information about default browsers and specific open ports, and even anti-forensic and detection evasion commands.

The campaigns do not seem to target specific industries or companies; instead, threat actors have used a shotgun approach, focusing on reaching as many victims as possible. In terms of financial impact, estimated cryptocurrency earnings based on the cryptocurrency wallets found indicate attackers have netted at least $150,000 through some of their campaigns.

Key Findings

  • RDP abuse to exfiltrate data through network shares
  • Off-the-shelf multi-purpose tool used to screen victims and drop malicious payloads (ransomware, clipboard stealers, cryptocurrency miners and info-stealer Trojans)
  • Ready-made ransomware families used as payload (Rapid Ransomware and Nemty)
  • Clipboard stealers replace cryptocurrency addresses with one that belongs to attackers
  • More than $150,000 in cryptocurrency earnings (22.604 BTC, 25.098 ETH, 13.846 DASH and 1.329 LTC), excluding Monero.

A complete analysis of the analyzed components is available in a research paper available for download below. An up-to-date and complete list of indicators of compromise is available to Bitdefender Advanced Threat Intelligence users.

Download the whitepaper

tags


Author



Right now

Top posts

A Red Team Perspective on the Device42 Asset Management Appliance

A Red Team Perspective on the Device42 Asset Management Appliance

August 10, 2022

1 min read
Vulnerabilities Identified in Wyze Cam IoT Device

Vulnerabilities Identified in Wyze Cam IoT Device

March 29, 2022

1 min read
New FluBot and TeaBot Global Malware Campaigns Discovered

New FluBot and TeaBot Global Malware Campaigns Discovered

January 26, 2022

10 min read
Bitdefender Honeypots Signal Active Log4Shell 0-Day Attacks Underway; Patch Immediately

Bitdefender Honeypots Signal Active Log4Shell 0-Day Attacks Underway; Patch Immediately

December 10, 2021

2 min read
Bitdefender, Law Enforcement Partnership Saves REvil Victims Half a Billion in Ransom Demand

Bitdefender, Law Enforcement Partnership Saves REvil Victims Half a Billion in Ransom Demand

November 08, 2021

2 min read
Bitdefender Offers Free Universal Decryptor for REvil/Sodinokibi Ransomware

Bitdefender Offers Free Universal Decryptor for REvil/Sodinokibi Ransomware

September 16, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Side-Loading OneDrive for profit – Cryptojacking campaign detected in the wild Side-Loading OneDrive for profit – Cryptojacking campaign detected in the wild
Balint SZABO

October 05, 2022

1 min read
Under Siege for Months: the Anatomy of an Industrial Espionage Operation Under Siege for Months: the Anatomy of an Industrial Espionage Operation
Alexandru MAXIMCIUCVictor VRABIE
1 min read
New FluBot Campaign Sweeps through Europe Targeting Android and iOS Users Alike New FluBot Campaign Sweeps through Europe Targeting Android and iOS Users Alike
Filip TRUȚĂRăzvan GOSAAdrian Mihai GOZOB
4 min read