Though RDP service is set up for a crucial purpose of networking communications, most of the users don’t use it, actually, not everyone needs it. Such vulnerabilities of unactivated RDPs are exploited by hackers in stealing malware dumps, cryptocurrency mining, ransomware, etc. Here’s a story of a new group doing all these three activities actively.

Leveraging RDS Features

Remote Desktop Services (RDP) helps in sharing resources among systems (clients) in a network. This happens when a client connects to a terminal server via RDP that lets him read and write on others and vice-versa.

The drives (clients) appear in the server network on the name of “tsclient” followed by the drives letter, so as to simply locate the drive locally later. Whenever someone accesses other clients’ resources, there will be no trace left on anywhere as it would happen in RAM! which gets erased after the termination of the session.

Researchers at Bitdefender discovered that few attackers are leveraging this feature and cashing off the vulnerable systems. They’re found dumping malware, ransomware and cryptocurrency mining tools to use victim’s resources in all the way possible. A recent methodology includes the setting in a component called worker.exe, which sniffs user data and his usage. The following actives are done by this malware.

Collecting System information, such as architecture, CPU model, number of cores, RAM size, Windows version.

Knowing the Domain name, privileges of the logged user, list of users on the machine.

Collecting local IP address, upload and download speed, public IP information as returned by the from ip-score.com service.

Assessing the default browser to know the status of specific ports on the host, checking for running servers and listening on their port, specific entries in the DNS cache.

Actively Checking of certain processes to know the run times, the existence of specific keys and values in the registry.

Further, taking screenshots and mentioning the shares done locally. All the collected data is then transferred in an.NFO file which is stored in the configuration file itself, so as to make the forensic evaluation hard later.

Aside from snooping all this data, worker.exe is found operating three clipboard data stealers as MicroClip, DelphiStealer, and IntelRapid; ransomware files as Rapid/Rapid 2.0 and Nemty; Monero cryptocurrency miners and the AZORult info-stealer. These were found in the tsclient network share and known to be taking instructions from a hacker’s file named “config.ins” instead of default C2 (command and control server).

Everything Has A Purpose

While the cryptocurrency mining tools are used for minting coins using victims’ resources, they’re then transferred to the hacker’s wallet as mentioned. Aside from this, the hacker is also earning by changing the destination address of the victim’s cryptocurrency transaction. Here, the clipboard stealers actively snoop and replace the destination address whenever the victim is trying to send coins to someone.

Further, this activity is turned creative by using the “Complex scoring mechanism”, where an IntelRapid malware is used to replace the destination address more creatively by matching either first or last characters of the address. This fools the victims who’re lazy enough to check the actual destination address. This way, hackers I estimated to have earned at least $150,000 in value excluding Monero coins and other malware/ransom.

Targeting and Defending

It’s found that these hackers aren’t targeting specific businesses or people, but everyone who’s vulnerable with most coming from Romania, USA, and Brazil.

Bitdefender said, “From our telemetry, these campaigns do not seem to target specific industries, instead of trying to reach as many victims as possible”.

Though these are undetectable most of the times, a user can try defending by disabling the Clipboard Redirection option available in system settings as Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection

Source: BleepingComputer