Recent investigations by Bitdefender security researchers revealed an attack tactic that could be considered fileless, from an endpoint perspective. Abusing the RDP protocol, in the sense that attackers already have legitimate RDP (Remote Desktop Protocol) credentials, means they can set up a share on their machine that acts as a resource on the local virtual network.
The victim’s endpoint sees the share as if part of the local infrastructure, with its content both readable and writeable, making for a very simple data exfiltration mechanism and an interesting method for executing files not physically located on the victim’s endpoint.
The full technical research that includes a detailed analysis of all found components is available on Bitdefender Labs.
Fileless vs. Fileless-Type RDP Tactic
Traditional fileless attacks involve living-off-the-land tools, which run commands or implant payloads directly within memory, and this new RDP share abuse acts in a similar way -- no malicious file is ever written on the victim’s local drive, but is executed within memory if accessed from the share.
For instance, traditional fileless malware involves the use of scripts, such as PowerShell, WMI (Windows Management Instrumentation) or Microsoft Office Macros, usually laced in seemingly benign documents. As these scripts are a series of automation commands executed by legitimate pre-installed tools, they usually dodge traditional scanning solutions.
Built-in Windows tools such as the PowerShell framework can execute payloads directly from memory because they have access to a wide range of Windows system functions. Commonly referred to by security professionals as LOLBins and LOLScripts (living off the land binaries and scripts), these types of attacks allow attackers to use legitimate tools that cannot be blocklisted, and are present in enterprise environments.
This new fileless-type RDP tactic abuses both the legitimate RDP protocol to establish a secure connection to an enterprise environment, and a native network sharing feature that maps an attacker’s folder or drive to the enterprise victim’s local virtual network.
While this fileless RDP attack tactic is interesting for its novelty, Bitdefender researchers also found that the component used in the attack was actually an off-the-shelf multi-purpose tool primarily used to screen victims and drop malicious payloads ranging from ransomware and clipboard stealers to cryptocurrency miners and info-stealing Trojans.
Layered Cybersecurity Involves IoCs and IoAs
The industry term “indicators of compromise” (IoC) refers to forensic evidence that could reveal a cyber attack, while the term “indicators of attack” (IoA) focuses on the intent of the attack. For example, while an IoC can consist of command and control IP address or an MD5 hash, indicators of attack usually involve the use of legitimate tools, in-memory payloads, or even masquerading as legitimate actions by creating file names with common Windows filenames.
Layered security technologies should leverage both IoC and IoA technologies capable of detecting even these new types of fileless-type RDP attacks. For instance, IoC technology layers should involve antimalware engines that can identify malicious payloads, advanced threat control technologies that constantly monitor running processes to ascertain if they become malicious at any point in their entire execution lifetime, and even technologies for spotting in-memory detection for packed files.
In terms of detecting intent, IoA technologies are also referred as EDR technologies. These are tasked with identifying seemingly benign actions such as suspicious command-line interfaces, screen capturing attempts, newly created startup registry keys, and even registry keys manipulation.
The Devil is in the Details
While this recently found ingenious technique employed by threat actors may seem difficult to fend off, IT and security teams can adopt some security recommendations to stay safe.
For example, enabling the “Do not allow drive redirection” policy, located in “Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection”, can foil the infection mechanism for this attack particular attack.
It’s simple misconfigurations, such as these, that usually lead to a full-blown data breach. Fortunately, there are tools that can offer suggestions to address certain tactics, techniques and procedures (TTPs).
The MITRE ATT&CK matrix provides a mechanism to share TTP indicators commonly used by threat actors. Bitdefender’s layered security stack can prevent, detect, and protect against this new fileless-type of RDP attack, and offer comprehensive information in line with the MITRE ATT&CK matrix.
Staying Safe from New Fileless-Type RDP Tactics
By setting Bitdefender’s technologies in reporting-only mode when analyzing specific components used in this recent investigation, we can paint a clear picture of which technologies successfully intervene during each step of the attack chain, for each analyzed malware sample.
For the example, Bitdefender’s antimalware engines detect the multi-purpose tool (worker.exe) that screened victims and dropped malicious payloads, as well as all other dropped payloads.
Multiple different EDR (Endpoint Detection and Response) alerts are also triggered during various stages of execution. These alerts are mapped according to MITRE tactics such as "Command-Line Interface" (T1059), and "Screen Capture" (T1113). For instance, the "Command-Line Interface" tactic is commonly used by threat actors to execute software or applications and can be interacted with locally or remotely via remote desktop services. While not malicious per se, tactics likes these do get reported by EDR as suspicious, as they could be indicative of unauthorized access. Another alert, tagged as "Remote File Copy" (T1105), is particularly interesting as it is triggered by Bitdefender’s Network Attack Defense sensor, also part of EDR. This means that, besides endpoint events, EDR also issues network-related alerts that are considered suspicious or indicative of malicious actions.
When applying the same analysis on a specific clipboard stealer sample (clipboard_stealer_cpp), the EDR module again issues a series of alerts based on the actions performed by the sample. The information provided is again mapped to MITRE tactics: "Modify Registry" (T1112), "Registry Run Keys / Startup Folder" (T1060), "Masquerading" (T1036). The "Modify Registry" (T1112) is also a common tactic employed by threat actors as it implies potential lateral movement or malicious payload concealment within registry entries.
Others malicious samples, such as “clipboard_stealer_intelrapid”, also triggers an EDR alert, such as a "Registry Run Keys / Startup Folder" (T1060). This is also a common persistency tactic, as threat actors manipulate these registry keys to execute remote access tools or malware whenever a user logs in. Sometimes they even try to impersonate legitimate registry keys that belong to legitimate applications, to make sure they’re not detected or arouse any suspicion.
When some ransomware payloads were being executed by threat actors on the network share, multiple antimalware alerts are triggered, including an in-memory detection for packed files and a static detection for the sample, but also a behavioral alert from Bitdefender’s ATC. For example, threat actors commonly use packed files to make it difficult for security researchers to understand the behavior or the instructions within the binary file stored on the disk. Packed files are loaded within memory and instructions are decrypted with an unpacker, leaving no footprint on the disk. Consequently, unpacked instructions are executed by the CPU and traditional security solutions fail to detect them.
What’s more, for some ransomware samples directly executed from the network share, Bitdefender’s sandboxing technology automatically kicks in, detonating it in a controlled environment and preventing the sample from executing on the employee’s endpoint.
Cryptocurrency mining payloads found during the investigation were detected by Bitdefender antimalware engines and ATC technology, as well as by our EDR technology with MITRE alerts such as "Modify Registry" (1112), "Bypass User Account Control" (T1088), and "Registry Run Keys / Startup Folder" (T1060).
For more information about Bitdefender technologies that can help detect both this type of attack as well as detect, prevent, and block and offer visibility into other advanced sophisticated threats, please check out https://www.bitdefender.com/business/enterprise-products/ultra-security.html.