Leveraging RDS Features
Remote Desktop Services (RDP) helps in sharing resources among systems (clients) in a network. This happens when a client connects to a terminal server via RDP that lets him read and write on others and vice-versa.
Leveraging RDS FeaturesEverything Has A PurposeTargeting and Defending
The drives (clients) appear in the server network on the name of “tsclient” followed by the drives letter, so as to simply locate the drive locally later. Whenever someone accesses other clients’ resources, there will be no trace left on anywhere as it would happen in RAM! which gets erased after the termination of the session. Researchers at Bitdefender discovered that few attackers are leveraging this feature and cashing off the vulnerable systems. They’re found dumping malware, ransomware and cryptocurrency mining tools to use victim’s resources in all the way possible. A recent methodology includes the setting in a component called worker.exe, which sniffs user data and his usage. The following actives are done by this malware.
Collecting System information, such as architecture, CPU model, number of cores, RAM size, Windows version. Knowing the Domain name, privileges of the logged user, list of users on the machine. Collecting local IP address, upload and download speed, public IP information as returned by the from ip-score.com service. Assessing the default browser to know the status of specific ports on the host, checking for running servers and listening on their port, specific entries in the DNS cache. Actively Checking of certain processes to know the run times, the existence of specific keys and values in the registry.
Further, taking screenshots and mentioning the shares done locally. All the collected data is then transferred in an.NFO file which is stored in the configuration file itself, so as to make the forensic evaluation hard later. Aside from snooping all this data, worker.exe is found operating three clipboard data stealers as MicroClip, DelphiStealer, and IntelRapid; ransomware files as Rapid/Rapid 2.0 and Nemty; Monero cryptocurrency miners and the AZORult info-stealer. These were found in the tsclient network share and known to be taking instructions from a hacker’s file named “config.ins” instead of default C2 (command and control server).
Everything Has A Purpose
While the cryptocurrency mining tools are used for minting coins using victims’ resources, they’re then transferred to the hacker’s wallet as mentioned. Aside from this, the hacker is also earning by changing the destination address of the victim’s cryptocurrency transaction. Here, the clipboard stealers actively snoop and replace the destination address whenever the victim is trying to send coins to someone. Further, this activity is turned creative by using the “Complex scoring mechanism”, where an IntelRapid malware is used to replace the destination address more creatively by matching either first or last characters of the address. This fools the victims who’re lazy enough to check the actual destination address. This way, hackers I estimated to have earned at least $150,000 in value excluding Monero coins and other malware/ransom.
Targeting and Defending
It’s found that these hackers aren’t targeting specific businesses or people, but everyone who’s vulnerable with most coming from Romania, USA, and Brazil. Though these are undetectable most of the times, a user can try defending by disabling the Clipboard Redirection option available in system settings as Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection Source: BleepingComputer