Threat actors are using the Remote Desktop Protocol (RDP) to gain unauthorized access to networks, fully control systems, extract sensitive data, and implant malware. The recent discovery of the MultiRDP malware by ASEC cybersecurity researchers has revealed that this malware allows multiple attackers to connect via RDP by modifying the memory, posing significant risks to targeted systems. This revelation underscores the evolving tactics of cyber attackers and the need for enhanced cybersecurity measures.
MultiRDP malware is a tool that allows multiple simultaneous RDP connections to a single system. It was launched recently and has been used by various threat actors to facilitate unauthorized access and control over targeted networks. The malware modifies the system’s memory to permit multiple RDP sessions, making it easier for attackers to collaborate and carry out complex attacks without being detected. This tool has been particularly detrimental to businesses and organizations that rely heavily on RDP for remote access and management of their IT infrastructure.
ASEC’s recent findings indicate that the attacks linked to MultiRDP malware were first identified in November 2023. They were initially associated with the Kimsuky group but exhibited distinct characteristics, such as using software updaters for lateral movement and deploying Andariel’s DurianBeacon backdoor. These attacks resumed in February 2024, with the final payload being replaced by the SmallTiger downloader, demonstrating a shift in tactics by the threat actors.
MultiRDP Malware Tactics
The MultiRDP malware attacks involved dropping a service named “mozillasvcone” through software updater programs, which then loaded an encrypted DLL. This DLL decrypted and executed additional files directly in memory, deploying an updated edition of the DurianBeacon RAT. The multistage infection process indicated evolving techniques, combining unknown delivery mechanisms with familiar malware families such as DurianBeacon and SmallTiger. The attackers utilized Mimikatz and ProcDump for credential theft, further complicating the threat landscape.
ASEC confirmed that SmallTiger malware was actively distributed in November 2023, with ongoing attacks targeting South Korean companies. The same threat actor exploited different software vulnerabilities to deploy the SmallTiger downloader malware, which downloaded and executed subsequent payloads in memory. The attackers also used GitHub for distributing SmallTiger in May 2024, highlighting the persistent and adaptive nature of these cyber threats.
Key Inferences from the Findings
– MultiRDP malware allows multiple simultaneous RDP connections by modifying system memory.
– The use of known malware strains like DurianBeacon and SmallTiger points to adaptive threat actor tactics.
– Credential theft via tools like Mimikatz and ProcDump complicates the cybersecurity landscape.
The evolving threat landscape necessitates a robust response from cybersecurity professionals and organizations. Companies must enhance their security monitoring and implement timely vulnerability patches to mitigate the risks posed by advanced malware like MultiRDP. Ensuring the latest updates for operating systems, browsers, and security software is crucial in preventing infections and safeguarding sensitive data. Additionally, maintaining vigilance against suspicious email attachments and downloaded executables can help reduce the risk of malware infiltration.
