Anti-Malware Research Whitepapers

RDP Abuse and Swiss Army Knife Tool Used to Pillage, Encrypt and Manipulate Data

RDP Abuse and Swiss Army Knife Tool Used to Pillage, Encrypt and Manipulate Data

Bitdefender researchers recently found threat actors abusing a legitimate feature in the RDP service to act as a fileless attack technique, dropping a multi-purpose off-the-shelf tool for device fingerprinting and for planting malware payloads ranging from ransomware and cryptocurrency miners to information and clipboard stealers.

The attack vector involves the Windows Remote Desktop Server. The RDP client has the ability to share a drive letter on their machine, which acts as a resource on the local virtual network. Attackers were able to use the shared directory as a very simple data exfiltration mechanism over the RDP protocol. By using an off-the-shelf component placed on the “tsclient1” (Terminal Server Client) network location, attackers could execute it using either “explorer.exe” or “cmd.exe” and use it to download additional malware.

The “worker.exe” component provides a vast array of capabilities, mainly for data gathering. It features capabilities ranging from collecting system information (e.g. architecture, CPU model and core count, RAM size, Windows version etc.) to taking screenshots, collecting the victim’s IP address and domain name, pulling information about default browsers and specific open ports, and even anti-forensic and detection evasion commands.

The campaigns do not seem to target specific industries or companies; instead, threat actors have used a shotgun approach, focusing on reaching as many victims as possible. In terms of financial impact, estimated cryptocurrency earnings based on the cryptocurrency wallets found indicate attackers have netted at least $150,000 through some of their campaigns.

Key Findings

  • RDP abuse to exfiltrate data through network shares
  • Off-the-shelf multi-purpose tool used to screen victims and drop malicious payloads (ransomware, clipboard stealers, cryptocurrency miners and info-stealer Trojans)
  • Ready-made ransomware families used as payload (Rapid Ransomware and Nemty)
  • Clipboard stealers replace cryptocurrency addresses with one that belongs to attackers
  • More than $150,000 in cryptocurrency earnings (22.604 BTC, 25.098 ETH, 13.846 DASH and 1.329 LTC), excluding Monero.

A complete analysis of the analyzed components is available in a research paper available for download below. An up-to-date and complete list of indicators of compromise is available to Bitdefender Advanced Threat Intelligence users.

Download the whitepaper

About the author


Liviu Arsene is the proud owner of the secret to the fountain of never-ending energy. That's what's been helping him work his everything off as a passionate tech news editor for the past couple of years. He is the youngest and most restless member of the Bitdefender writer team and he covers mobile malware and security topics with fervor and a twist. His passions revolve around gadgets and technology, and he's always ready to write about what's hot and trendy out there in geek universe.

About the author


Eduard Budaca is a security researcher at Bitdefender. When not dissecting malware, he enjoys coding and playing video games. While perhaps too meticulous at times, he believes that digging deeper into the matter is often the only way to make sure that what you see is actually true.

About the author

Victor Vrabie

Victor VRABIE is a security researcher at Bitdefender and he's based Iasi, Romania. Focusing on malware research, advanced persistent threats, and cybercrime investigations, he's also a graduate of Computer Sciences.

About the author


Senior Team Lead, Cyber Threat Intelligence Lab

Cristina Vatamanu is Senior Team Lead in the Cyber Threat intelligence Lab at Bitdefender. She is based in Iasi, Romania, and has more than 10 years of forensic work under her belt, being involved in malware analysis, cybercrime investigations, research projects for antimalware tools optimization. She graduated Computer Sciences and she has a PHD degree in machine learning used in hybrid models dedicated in detecting malicious programs.

About the author


Team Lead, Cyber Threat Intelligence Lab

Alexandru "Sasha" Maximciuc is a veteran security researcher with more than a decade of experience. His research is mostly focused on exploits, advanced persistent threats, cybercrime investigations, and packing technologies.

Add Comment

Click here to post a comment