040. Kimsuky Abuses RDP Wrapper in a Recent Campaign
Hello everyone! I'm sure you at least heard about Kimsuky group (we track this activity cluster under the name Monolithic Werewolf). According to AhnLab, in a recent campaign the adversary started to use custom-made RDP Wrapper.
So, RDP Wrapper is used by the threat actors to enable concurrent RDP connections to the compromised system.
Of course, this utility has lots of detection opportunities. For example, it has a few intersting strings in its metadata: "RDPWInst.exe", "RDPWInst", "RDP Wrapper Library Installer", etc.
Next, it creates "RDP Wrapper" folder and drops two files there: "rdpwrap.ini" and "rdpwrap.dll".
Also, it modifies HKLM\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDll value to "%ProgramFiles%\RDP Wrapper\rdpwrap.dll".
It's not the first time an adversary uses this tool, so make sure you can detect such activity!
See you tomorrow!
Comments
Post a Comment