RDPPatcher sells access to your computer at a low price.

In recent months, the PandaLabs anti-virus laboratory of Panda Security has been witnessing a significant increase in malware installed using the Remote Desktop Protocol (RDP) . Every day we see thousands of attempts at infection using ransomware (ransomware), hacking the system for mining Bitcoins and other purposes. In general, all such threats have a common approach: access to a computer via Remote Desktop (RDP) after selecting credentials using the brute force method.

The new detected attack uses the same entry technique, but its goal is completely different from the attacks that we analyzed earlier. This time, after entering the system, the threat focuses on the search for POS-terminals and ATM . The reason for this lies in the fact that these terminals are simple enough for an anonymous attack from the Internet, and the financial benefit from the sale of stolen information is very high.
')

RDPPatcher: selling system access on the black market

In this case, the brute force attack lasted more than two months until, in January 2017, the hackers picked up the correct registration data and did not get access to the system. After the system was compromised, the cyber criminals attempted to infect it with malware. They found that their attempts were blocked by Adaptive Defense . After that, they modified the malware and tried again, but also to no avail. Since the Panda advanced information security solution is not based on signatures and does not rely on existing knowledge about malware to block it, modifying the malware does not change the result.

From the analysis of a malicious program, the purpose of the attack becomes clear. The two file hashes are as follows:

MD5 d78be752e991ccbec16f11e4fc6b2115
SHA1 4cc9d2c98f22aefab50ee217c1a0d872e93ce541

MD5 950e8614db5c567f66d0900ad09e45ac
SHA1 9355a60dd51cfd02a921444e92e012e25d0a6be

Both files were created in Delphi and packaged with Aspack. After unpacking them, we found that they are very similar to each other. We analyzed the most recent of them: (950e8614db5c567f66d0900ad09e45ac).

This trojan is detectable as Trj / RDPPatcher . A modifies the registry entries in Windows to change the type of RDP validation. Here are the records that the system changes:

HKLM \ SYSTEM \ CurrentControlSet \ Control \ Terminal Server \ WinStations \ RDP-Tcp / v UserAuthentication / t REG_DWORD / d 1

HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Terminal Server \ WinStations \ RDP-Tcp ”/ v UserAuthentication / t REG_DWORD / d 1

In addition, it deletes the following entries if they are present in the system:

“HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies \ System” / v legalnoticecaption / f

“HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies \ System” / v legalnoticetext / f

Subsequently, it leaves another file (MD5: 78D4E9BA8F641970162260273722C887) in the% TEMP% folder. This file is a variant of the rdpwrap application and it is launched via the runas command with the “-i –s” parameters to activate simultaneous RDP sessions in the system.

Then he goes to the machine profile and receives the following information about it:

• Username
• Device Name
• The time period when the device was turned on.
• Operating system version
• Tongue
• Virtual machine
• Memory
• Processor Name
• Number of processor cores
• CPU speed

It then connects to the management server (C & C server) to access a list of services that measure Internet connection speed, and then saves data related to the speed of the incoming and outgoing connection. Then he checks which antivirus is installed on the computer. Contrary to what we are accustomed to see in most malicious attacks, it does not remove the installed antivirus and does not change its operation. It simply collects data.

We were able to extract from the code a list of those processes that it searches for:

See table 1

After that, he begins to look for different types of programs to continue profiling the computer. Basically, he is looking for programs related to POS, ATM and online gambling. Below is a small part of the programs that he is looking for (there are several hundreds of them):

See table 2

It also “passes” through the history of visits, checking correspondences with another list, presented by categories, depending on the area of ​​interest:

See table 3

All these actions are necessary in order to "tag" the computer in accordance with the software used on it and the visited web pages.

After completing the data collection procedure from the system, it makes a request to the C & C management server. To hide sending information via web traffic from security systems, it first encrypts the data using AES128 with the password “8c @ mj} || v * {hGqvYUG”, which was embedded in the sample being analyzed. Then it encodes it in base64


An example of an encrypted request.

The C & C Management Server used for this sample malware is located in Gibraltar:

Conclusion

As we have seen, the first thing an attacker seeks to do is to inventory the computer, gather a wide range of information (hardware, software, visited web pages, Internet connection speed), and install an application that allows you to run several RDP sessions. at the same time. There is no data theft, passwords or anything else, as in other cases.

The explanation for all this is quite simple: the cyber criminals behind these attacks sell access to these hacked computers at a very low price. Having so much data from each system on hand, they can sell access to it to other groups of intruders who specialize in various fields. For example, to groups that specialize in stealing bank card data, they can sell access to computers that have software installed for POS terminals, etc. Cyber ​​crime has indeed become a professional activity and a very profitable racket.