How real software downloads can hide remote backdoors

MITRE Techniques

• [T1036 ] Masquerading – The campaign cloned a legitimate site and used a convincing domain to impersonate RustDesk (‘we identified a malicious website at rustdesk[.]work impersonating the legitimate RustDesk project, which is hosted at rustdesk.com’).
• [T1204 ] User Execution – The attack relies on users downloading and running a seemingly legitimate installer from search results (‘You install the software, launch it, and everything works exactly as expected’).
• [T1055 ] Process Injection – The loader creates a new process, allocates executable memory, and hands execution to Libserver.exe to run code in another process (‘Creates a new process; Allocates executable memory; Transitions execution to a new runtime identity: Libserver.exe’).
• [T1218 ] Signed Binary Proxy Execution / Living off the Land (general technique) – Attackers run the legitimate RustDesk installer alongside malicious components to avoid suspicion (‘It installs real RustDesk, fully functional and unmodified’ while also installing a backdoor).
• [T1041 ] Exfiltration Over C2 Channel – The implant sends stolen data and receives commands via an established C2 session (‘send commands to the infected machine and receive stolen data in return’).
• [T1071 ] Application Layer Protocol – The malware uses network communication to an attacker-controlled server (TCP 5666) to maintain C2 functionality (‘IP: 207.56.13[.]76 Port: 5666/TCP’).
• [T1056 ] Input Capture – Winos4.0 logs keystrokes to steal credentials (‘Log keystrokes and steal credentials’).
• [T1113 ] Screen Capture – The framework captures screenshots to monitor victim activity (‘Monitor victim activity and capture screenshots’).
• [T1105 ] Ingress Tool Transfer – The malware can download and execute additional tools or payloads on the infected host (‘Download and execute additional malware’).
• [T1547 ] Boot or Logon Autostart Execution (Registry Run Keys/Startup Folder) – The backdoor maintains persistence even after reboots and hides configuration in the registry (‘Maintain persistent access even after system reboots’ and ‘Hides configuration in the registry’).
• [T1497 ] Virtualization/Sandbox Evasion – The payload detects analysis environments by checking system memory and looking for debugging tools (‘Detects analysis environments; Checks available system memory and looks for debugging tools’).
• [T1070 ] Indicator Removal on Host – The malware clears artifacts such as browser history to remove traces of infection (‘Clears browser history; Invokes system APIs to delete browsing data’).