RDP Abuse and Swiss Army Knife Tool Used to Pillage, Encrypt and Manipulate Data

Bitdefender researchers recently found threat actors abusing
a legitimate feature in the RDP service to act as a fileless attack technique,
dropping a multi-purpose off-the-shelf tool for device fingerprinting and for
planting malware payloads ranging from ransomware and cryptocurrency miners to
information and clipboard stealers.

The attack vector involves the Windows Remote Desktop
Server. The RDP client has the ability to share a drive letter on their machine,
which acts as a resource on the local virtual network. Attackers were able to
use the shared directory as a very simple data exfiltration mechanism over the
RDP protocol. By using an off-the-shelf component placed on the “tsclient1”
(Terminal Server Client) network location, attackers could execute it using
either “explorer.exe” or “cmd.exe” and use it to download additional malware.

The “worker.exe” component provides a vast array of
capabilities, mainly for data gathering. It features capabilities ranging from
collecting system information (e.g. architecture, CPU model and core count, RAM
size, Windows version etc.) to taking screenshots, collecting the victim’s IP
address and domain name, pulling information about default browsers and
specific open ports, and even anti-forensic and detection evasion commands.

The campaigns do not seem to target specific industries or
companies; instead, threat actors have used a shotgun approach, focusing on
reaching as many victims as possible. In terms of financial impact, estimated
cryptocurrency earnings based on the cryptocurrency wallets found indicate
attackers have netted at least $150,000 through some of their campaigns.


  • RDP abuse to exfiltrate data through network
  • Off-the-shelf multi-purpose tool used to screen
    victims and drop malicious payloads (ransomware, clipboard stealers,
    cryptocurrency miners and info-stealer Trojans)
  • Ready-made ransomware families used as payload
    (Rapid Ransomware and Nemty)
  • Clipboard stealers replace cryptocurrency
    addresses with one that belongs to attackers
  • More than $150,000 in cryptocurrency earnings
    (22.604 BTC, 25.098 ETH, 13.846 DASH and 1.329 LTC), excluding Monero.

A complete analysis of the analyzed components is available in a research paper available for download below. An up-to-date and complete list of indicators of compromise is available to Bitdefender Advanced Threat Intelligence users.

Download the whitepaper

*** This is a Security Bloggers Network syndicated blog from Bitdefender Labs authored by Liviu Arsene. Read the original post at: