Threat Research

Attackers Abusing Various Remote Control Tools – ASEC BLOG

Securonix

Attackers increasingly abuse legitimate remote-control tools to secretly take control of infected systems and evade detection. The article surveys backdoor and RAT families and real-world cases where tools like AnyDesk, TeamViewer, and VNC are misused for remote access. #AnyDesk #TeamViewer #Remcos #AveMaria #TinyNuke #Kimsuky #WatchDog #SmokeLoader #AmmyyAdmin #ToDesk #RuDesktop #CobaltStrike #Metasploit #Mimikatz

Keypoints

  • Attackers increasingly abuse legitimate remote-control tools (AnyDesk, TeamViewer, ToDesk, RuDesktop, TightVNC, etc.) to gain GUI-based control of compromised systems.
  • Backdoor and RAT families (Remcos, AveMaria, TinyNuke HVNC, Ammyy Admin, etc.) are widely used, with groups like Kimsuky and NukeSped involved in such activity.
  • Pen-testing frameworks like Cobalt Strike and Metasploit Meterpreter are leveraged to infiltrate networks, move laterally, and facilitate ransomware deployment.
  • Silent deployment via PowerShell (installing AnyDesk and setting a password) demonstrates how remote-access tools are installed post-compromise.
  • Legitimate tools used for remote access can help attackers bypass security software because they appear normal in GUI environments.
  • Cases include SmokeLoader distributing TeamViewer via cracks, credential theft through GUI hooks, and WatchDog’s use of Tmate for remote access in Linux cloud environments.

MITRE Techniques

  • [T1566.001] Phishing – Spearphishing Attachment – Attacker delivery via spear phishing emails with malicious attachments, as noted in the overview: “attackers install malware through various methods such as spear phishing emails with a malicious attachment.”
  • [T1059.001] PowerShell – Use of PowerShell to silently install remote-control software (e.g., AnyDesk) after compromising a server: “[After the hacker gains control over an MS-SQL server, the following PowerShell command is executed. This script is responsible for installing AnyDesk from the official website in silent mode, before setting the password ‘wocaoybb’ on it.]”
  • [T1021] Remote Services – Abuse of remote-control tools (AnyDesk, TeamViewer, VNC) to gain remote access and control infected systems: “these remote control tools place emphasis on user-friendliness, so they offer remote desktops. Even though they do not have malicious features, if they are installed on infected systems, they can be used for malicious purposes by attackers.”
  • [T1003] OS Credential Dumping – Use of Mimikatz and related credential access to move within networks: “CobaltStrike and Mimikatz were then to dominate the internal web.”
  • [T1113] Screen Capture – AveMaria and related RAT capabilities include taking screen captures: “including … taking screen captures”
  • [T1056.001] Keylogging – AveMaria and related RAT capabilities include keylogging: “keylogging”
  • [T1125] Video Capture – Webcam control as part of RAT capabilities: “controlling the webcam”
  • [T1021.005] VNC – Virtual Network Computing as a remote-access method (AveMaria, TinyNuke HVNC, etc.) to provide GUI access: “VNC to offer remote desktop”

Indicators of Compromise

  • [IP] compromised hosts involved in download actions – 106.250.168.50, 183.111.148.147, 119.201.213.146, 58.180.56.28
  • [URL] download and C2-related addresses – hxxp://106.250.168[.]50/rd.exe, hxxp://106.250.168[.]50/todesk.rar, hxxp://183.111.148[.]147/mscorsvw2.exe, hxxp://119.201.213[.]146/mscorsvw2.exe, hxxp://58.180.56[.]28/mscorsvw2.exe, bbq.zzhreceive[.]top/tmate
  • [Domain] bbq.zzhreceive.top – domain used in one of the remote-tool delivery chains
  • [MD5] fe1bb6811f5c808414c4a357031c2718 – Ammyy Admin; 1aeb95215a633400d90ad8cbca9bc300 – tmate
  • [File] rd.exe, todesk.rar, mscorsvw2.exe – file names appearing in the download chains

Read more: https://asec.ahnlab.com/en/40263/