PandaLabs is warning of the risks of malware using Remote Desktop Protocol (RDP). Last year it highlighted an attack that used RDP and then installed the Crysis ransomware. This time it has detected hackers selling on access once they have finished gathering details about the machine.
The attack starts with a brute force attack against user credentials. Once the attackers are in they carry out reconnaissance on the target network looking for Point of Sale (PoS) terminals and ATMs. According to PandaLabs this is because they are simple to attack. Information stolen from them is also highly profitable when sold on the Dark Net.
What was interesting was that the attackers made several attempts to modify their malware when they encountered Panda Adaptive Defence. The malware, a Trojan known as Trj/RDPPatcher, is designed to modify the Windows registry to change the RDP validation. This allows future attacks to proceed easily as the attacking software would be seen as valid RDP connections.
Once the attackers have control of the machine they profile it to get details on the machine, user, operating system and which antivirus is installed. PandaLabs says the malware does not attempt to uninstall or modify the antivirus, it just gathers data about it. The malware also looks for websites recorded in the browser history. Among the websites it looks for are finance, gambling, e-commerce and dating apps.
Once it has finished gathering data it then contacts a Gibraltar based Command and Control server. The C&C server then collects the data which has been encrypted to make it hard for Security Operations teams to detect. The data on each machine, as well as access to the machines, is then offered for sale.
Conclusion
Like it or not, this is a clever piece of malware. Why risk getting caught stealing and using financial data when you can just be the gatekeeper. More importantly you can sell and resell access based on what people want access to. Botmasters might have been the first generation of gatekeepers but there’s now a new and much more savvy breed appearing.
