Windows Remote Desktop Services enables users to share local drives to a Terminal Server with read and write permissions, under virtual network location “tsclient” (+ the letter of the drive).
Under remote connection, cybercriminals can impart cryptocurrency miners, info-stealers and ransomware; and since it’s in RAM, they can do so without leaving any footprints behind.
Since February 2018, hackers have been taking advantage of the ‘worker.exe’ component, sending it along with malware cocktails to collect the following system details.
- System information: architecture, CPU model, number of cores, RAM size, Windows version
- domain name, privileges of the logged user, list of users on the machine
- local IP address, upload and download speed, public IP information as returned by the from ip-score.com service
- default browser, status of specific ports on the host, checking for running servers and listening on their port, specific entries in the DNS cache (mainly if it tried to connect to a certain domain)
- checking if certain processes are running, existence of specific keys and values in the registry
Additionally, the component has the ability to take screenshots and enumerate all connected network shares that are mapped locally.
“worker.exe” has been reportedly executing at least three separate clipboard stealers, including MicroClip, DelphiStealer and IntelRapid; as well as two ransomware families- Rapid, Rapid 2.0 and Nemty, and many Monero cryptocurrency miners based on XMRig. Since 2018, its also been using the AZORult info-stealer.
The clipboard stealers work by replacing a user’s cryptocurrency wallet address with the hacker’s, meaning they’ll receive all subsequent funds. Even the most diligent users can be fooled with the “complex scoring mechanism”, which sifts through over 1,300 addresses to find fake addresses, whose start and end are identical to the victim’s.
Clipboard stealers are estimated to have yielded around $150,000- though this figure is undoubtedly much higher in reality.
“From our telemetry, these campaigns do not seem to target specific industries, instead trying to reach as many victims as possible” – Bitdefender
Fortunately, precautionary measures can be taken, which will protect you against this type of attack. This can be done by enabling drive redirection from a list of group policies. The option is available by following this path in the computer configuration applet:
Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection
Read more about the attacks in detail at bleepingcomputer here.