home.social

#rdpwrapper — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #rdpwrapper, aggregated by home.social.

  1. Good day everyone!

    The wonderful researchers at AhnLab, Inc. Security Intelligence Center (ASEC) publishes their findings on recent attacks they observed coming from the #Kimsuky group. The APT group delivered malicious .LNK files through spear-phishing attacks and these files contained the company's they were targeting names, which would suggested this was a targeted attack. As the attack progressed, the #PebbleDash backdoor and a custom version of #RDPWrapper (which is a software that enabled remote desktop on systems that may not support Windows Native RDP).

    Behavior Summary (With MITRE ATT&CK):
    Initial Access:
    Phishing: Spearphishing Attachment (T1566.001) - Kimsuky delivered their malicious .LNK files through email.

    Execution:
    Comand and Scripting Interpreter: Powershell (T1059.001) - When the LNK file is executed, a powershell (or mshta.exe) is executed to download and execute addtional payloads from external sources.

    Defense Evasion:
    System Binary Proxy Execution: Mshta (T1218.005) - When the LNK file is executed it could lead to mshta executed to download and execute addtional payloads from external sources.

    Masquerading: Masquerade File Type (T1036.008) - The .LNK files are disguised as a document file with an Office document icon such as PDF, Excel, or Word.

    Collection/Credential Access:
    Input Capture: Keylogging (T1056.001)
    The APT group used a powershell script to perform keylogging and also installs keyloggers in executable file format.

    You know the drill! Go check out the article for a lot more technical details! Enjoy and Happy Hunting!

    Persistent Threats from the Kimsuky Group Using RDP Wrapper
    asec.ahnlab.com/en/86098/

    Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday