Threat Research

Analysis on Attack Techniques and Cases Using RDP – ASEC BLOG

Securonix

RDP is commonly used for initial compromise and lateral movement, including via wrappers when native remote desktop support is unavailable. The article also covers how attackers add user accounts, drop RDP-related malware, and employ credential theft and session hijacking to maintain access and expand their reach. #Kimsuky #AveMaria #AppleSeed #CreateHiddenAccount #Mimikatz

Keypoints

  • RDP is a prevalent vehicle for both initial access and lateral movement, often preferred over other remote tools.
  • Attackers increasingly add new user accounts on infected systems to maintain persistence, sometimes hiding them in registry keys.
  • Kimsuky has distributed malware that creates accounts (e.g., default) and grants them Admin/RDP privileges, while concealing the accounts from users.
  • RDP-related malware (e.g., AveMaria) can leverage RdpWrapper and reverse/remote control methods to connect to C2.
  • Public tools (e.g., CreateHiddenAccount) enable adding accounts on poorly managed MS-SQL servers without complex steps.
  • Port forwarding and proxy techniques (e.g., HTran) are used to bypass network barriers and enable RDP access through tunnels.

MITRE Techniques

  • [T1021.001] Remote Desktop Protocol – Used for initial compromise and lateral movement. Quote: “RDP is commonly used in most attacks, and this is because it is useful for initial compromise or lateral movement.”
  • [T1136.001] Create Account – Added user accounts for persistence. Quote: “The Kimsuky group has distributed malware that adds user accounts to infected systems this way.”
  • [T1112] Modify Registry – Registry keys used to hide accounts and enable access. Quote: “registers the added user account to the SpecialAccounts to prevent users from noticing it.”
  • [T1550.002] Pass the Hash – Lateral movement with NT Hash and Overpass the Hash in Restricted Admin Mode. Quote: “the NT Hash of the obtained domain admin account was used to execute mstsc with the Overpass the Hash attack in ‘Restricted Admin Mode’.”
  • [T1090] Proxy – Port forwarding to tunnel connections and bypass NAT. Quote: “Port forwarding is a feature where data transmitted from a certain port is forwarded to another port.”
  • [T1555.003] Credentials from Windows Credential Manager – RDP credentials saved in Vault and later stolen. Quote: “RDP credentials are saved in this Vault.”
  • [T1003.001] OS Credential Dumping – Mimikatz used to steal account information from the current session. Quote: “Mimikatz can steal account information even when the current user is using the remote desktop.”
  • [T1021.001] Remote Desktop Protocol – RDP hijacking and session interception. Quote: “RDP hijacking is a technique of intercepting another user’s remote desktop session for lateral movement.”

Indicators of Compromise

  • [MD5] 81ee91290a78d2d38b47a7ae25ec717f – Malware that adds user account
  • [MD5] 185bc3037314ec2dbd6591ad72cf08b4 – CreateHiddenAccount
  • [MD5] b500a8ffd4907a1dfda985683f1de1df – CreateHiddenAccount
  • [URL] hxxp://80.66.76[.]22/servicem.exe – Malware that adds user account

Read more: https://asec.ahnlab.com/en/40394/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint