Threat actors are abusing a legitimate feature in the Windows RDP service in fileless malware attacks, dropping a multi-purpose off-the-shelf tool for device fingerprinting and planting malware payloads ranging from ransomware and cryptocurrency miners to information and clipboard stealers, Bitdefender researchers warned.
The attackers leveraged a feature in Windows Remote Desktop Services that allows a client to share local drives to a Terminal Server with read and write permissions.
“The RDP client has the ability to share a drive letter on their machine, which acts as a resource on the local virtual network. Attackers were able to use the shared directory as a very simple data exfiltration mechanism over the RDP protocol. By using an off-the-shelf component placed on the “tsclient 1” (Terminal Server Client) network location, attackers could execute it using either “explorer.exe” or “cmd.exe” and use it to download additional malware,” researchers explained.
The off-the-shelf component observed in the attacks is a 'worker.exe', a tool popular among multiple threat actors, especially for its reconnaissance capabilities. It allows to collect system information (e.g. architecture, CPU model and core count, RAM size, Windows version etc.) the victim’s IP address and domain name, capture screenshots, gather information about default browsers and specific open ports, and even anti-forensic and detection evasion commands.
The tool has been observed in various campaigns delivering clipboard stealers, ransomware (Rapid Ransomware and Nemty ransomware), Monero cryptocurrency miners, and the AZORult information stealer.
The researchers have found samples of 'worker.exe' in a 'tsclient' network share and noticed that they did not connect to a command and control (C2) server for instructions. Instead, it took commands from a text file named 'config.ins' in the same location.
All gathered data is saved in a .NFO file that is stored in the same location as the configuration file. This provides a convenient way to make the forensic analysis more difficult.
The purpose of all three clipboard stealers (MicroClip, DelphyStealer, and IntelRapid) is to exploit the way in which cryptocurrency payments are made, in order to divert funds to the attackers. Compared to MicroClip and DelphyStealer, the IntelRapid stealer is more advanced as it supports a wider range of cryptocurrency schemes: Bitcoin, Litecoin, Ethereum, Monero, Bitcoin Cash, Dash, Ripple, Dogecoin, Neo, and ZCash. Its code is also heavily obfuscated using numerous layers of virtual calls, which makes reverse engineering difficult.
By analyzing the replacement addresses, Bitdefender determined that the clipboard stealers were deployed by the same threat actor.
In terms of financial impact, estimated cryptocurrency earnings based on the cryptocurrency wallets found indicate attackers have earned at least $150,000 through some of their campaigns. From their findings the researchers have not been able to determine how exactly the attackers managed to compromise the target network or plant 'worker.exe' on the 'tsclient' share. Also, it is unknown how the threat actor obtained RDP credentials needed to access the target host.
As for the victims, Bitdefender said that these campaigns do not seem to target specific industries, instead trying to reach as many victims as possible. Most of the victims are located in Brazil, the U.S., and in Romania.