With Windows Remote Desktop Services Hackers Can Own Your Device Without You Even Knowing It

Hackers found a new way to manipulate PCs and pretty much do everything without leaving a single trace.

Every day a new technology is introduced in order to secure user information but along with that hackers also learn and adapt new strategies to manipulate user data easily.

Recently there’s an outrage with hackers using RDP services to own PCs.

RDP services also known as Windows Remote Desktop Services can enable the users to share the local drives to Terminal Server with permissions of read and write.

With a remote connection, bad actors can inject cryptocurrency minors and can steal information of users without leaving a single trace.

As RDP is used in RAM (Random-access memory), hackers can easily gain access to user information without leaving any footprints behind.

A ‘worker.exe’ component is being used by hackers since February 2018 to manipulate user information by sending it along with malware cocktails in order to gain insight on the following details of the system:

  • Access to the PC domain name, privileges of logged user and list of users on the machine.
  • Architecture, CPU model, RAM size, Windows version, number of cores of the system.
  • Upload and download speed of the system, local IP address, and public IP information from the ip-score.com service.
  • Information on the status of specific ports of the host, default browser info, specific entry info of the DNS cache.
  • Worker.exe was also used by a hacker to check the existence of specific keys and values in the registry. This component also has the ability to take screenshots and also mention connected network shares of the locally mapped.

According to BC, this ‘worker.exe’ component has been used to execute at least three clipboard info stealers which include MicroClip, DelphiStealer, and IntelRapid.

These clipboard stealers work by replacing the wallet address of the cryptocurrency user with the information of the hacker, which results in hackers receiving subsequent funds instead of the actual user.

The complex scoring mechanism can fool pretty much everyone by providing a variety of more addresses to find a fake address with end and start identical to the victim address.

According to the estimate, Clipboard stealers have stolen around $150,000 from the users and no doubt the figure is higher in reality.

This component was also used for ransomware stealers which include Rapid, Rapid 2.0 and Nemty.

Cryptocurrency minors were also a victim of this component based on XMRig and Monero.

Since 2018, ‘Worker.exe’ has also been using the AZORult info-stealer.

If you are concerned about your personal safety then you can easily protect yourself from such attacks by enabling drive redirection from a list of group policies.

For precautionary measures follow the following path in the computer configuration applet:

Open Computer Configuration and click on the option of Administrative Templates and from there go to Windows Components and then click on Remote Desktop Services and later on Remote Desktop Session Host and then click on Device and Resource Redirection to secure yourself from being a victim of this component as these hackers are not targeting any specific category but instead reaching as many victims as possible.

Previous Post Next Post