Unknown Multiple Threat Actors: Researchers at Bitdefender found that threat actors are utilizing a legitimate feature in the Remote Desktop Protocol (RDP) service in Windows to run malware. The attackers are leveraging a feature that allows the client to share local drives to the Terminal Server with reading and write permissions. Drives appear on a virtual network location called “tsclient” followed by the drive letter that can be mapped locally. Access to the resources shared this way is possible through RDP and no trace is left on the victim machine’s disk as applications execute in memory. When the RDP session is terminated, so is the process and the memory is typically released, leaving no trace that the attacker was ever there. Threat actors were able to use the shared directory for data exfiltration which collected the victim’s IP address, domain name, information about the default web browser setting, information about open ports, and anti-forensic and detection commands. This has delivered at least three different distinct clipboard stealers, ransomware, Monero cryptocurrency miners, and a highly popular Trojan stealer called AZORult—all of which are executed in RAM without leaving any files on the victim computer.
Analyst Notes
A prerequisite for this attack is for the attacker to have access to log in to a victim server via RDP. The most effective defense is to secure RDP servers by not exposing them directly to the Internet—requiring RDP clients to first connect to a secure VPN gateway that uses client certificates and multi-factor authentication is a strong defense against RDP abuse. This attack uses a legitimate service found on Windows machines to allow threat actors to run malware without copying files onto the disks of victim computers. This means that defenders must not rely solely on security solutions that scan files on disk—it is important to also deploy solutions that alert on attacker behavior and malware in memory. Victims from across the world and in many different industries have been targeted and this technique is believed to be used by many different cybercriminals and cybergangs. Preventing this type of attack can be accomplished if companies are willing to disable drive redirection using group policies. Full research from Bitdefender can be found here: https://www.bitdefender.com/files/News/CaseStudies/study/302/Bitdefender-WhitePaper-RDP-Abusers.pdf
