Unknown Multiple Threat Actors: Researchers at Bitdefender found that threat actors are utilizing a legitimate feature in the Remote Desktop Protocol (RDP) service in Windows to run malware. The attackers are leveraging a feature that allows the client to share local drives to the Terminal Server with reading and write permissions. Drives appear on a virtual network location called “tsclient” followed by the drive letter that can be mapped locally. Access to the resources shared this way is possible through RDP and no trace is left on the victim machine’s disk as applications execute in memory. When the RDP session is terminated, so is the process and the memory is typically released, leaving no trace that the attacker was ever there. Threat actors were able to use the shared directory for data exfiltration which collected the victim’s IP address, domain name, information about the default web browser setting, information about open ports, and anti-forensic and detection commands. This has delivered at least three different distinct clipboard stealers, ransomware, Monero cryptocurrency miners, and a highly popular Trojan stealer called AZORult—all of which are executed in RAM without leaving any files on the victim computer.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased