CP
cyberpings
Malware & RansomwareHIGH

Russian Hackers Exploit CTRL Toolkit for RDP Hijacking

Featured image for Russian Hackers Exploit CTRL Toolkit for RDP Hijacking
CSCyber Security News
CTRLRDP HijackingCensys ARCRemote Access ToolkitWindows Credential Theft
🎯

Basically, Russian hackers are using a new tool to take control of computers remotely and steal passwords.

Quick Summary

Russian hackers are leveraging a new malware toolkit called CTRL to hijack RDP sessions and steal credentials. This poses a serious risk to organizations using remote access. Stay informed and protect your systems against this evolving threat.

What Happened

A newly identified remote access toolkit named CTRL is being used by Russian hackers to hijack Remote Desktop Protocol (RDP) sessions. This malware, discovered by Censys ARC, utilizes a custom .NET framework that integrates various attack techniques including phishing, keylogging, and reverse tunneling. The toolkit was found during an open directory scan, where researchers uncovered a malicious LNK file and several .NET payloads linked to the domain hui228[.]ru.

The CTRL toolkit is notable for its sophisticated design, specifically tailored for modern Windows systems. This indicates that the malware is actively being developed and refined. The initial attack vector involves a weaponized shortcut file disguised as a folder, which, when opened, executes hidden PowerShell code to load the malware into memory without leaving obvious traces.

Who's Being Targeted

Organizations that rely on RDP for remote access are particularly vulnerable to this attack. The malware allows attackers to gain unauthorized access to Windows systems, enabling them to steal sensitive credentials and maintain long-term access. The Censys ARC report highlights that the toolkit has not been widely distributed, suggesting it may be used selectively against high-value targets.

The operation is linked to a Russian-speaking developer, as indicated by the presence of Russian-language strings and specific development artifacts. This connection raises concerns about the potential for state-sponsored cyber espionage, as the toolkit's capabilities align with the tactics used in advanced persistent threat (APT) operations.

Signs of Infection

Once installed, CTRL provides attackers with hidden RDP access. It modifies the termsrv.dll file and installs RDP Wrapper, enabling concurrent remote desktop sessions without alerting the victim. Additionally, the malware includes a fake Windows Hello PIN prompt that mimics the real interface, tricking users into entering their credentials.

The toolkit also features a background keylogger and utilizes a named pipe for command execution, allowing attackers to control the infected system through the compromised RDP session. This stealthy approach minimizes network visibility, as the malware employs Fast Reverse Proxy (FRP) to establish reverse tunnels back to the attacker's infrastructure, avoiding traditional command-and-control patterns.

How to Protect Yourself

To defend against this sophisticated malware, organizations should monitor for unusual activities, such as unexpected scheduled tasks or registry modifications related to Explorer. Key indicators of compromise include:

  • Malicious registry entries in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer.
  • Suspicious files like C:\Temp\keylog.txt for keystroke logs.
  • Outbound traffic to the identified IPs and domain.

Security teams should also implement strict access controls for RDP, regularly update systems, and educate users about phishing tactics. By staying vigilant and proactive, organizations can mitigate the risks associated with the CTRL malware and protect their sensitive information.

🔒 Pro insight: The CTRL toolkit's stealthy design and RDP hijacking capabilities suggest a shift towards more targeted cyber operations against critical infrastructure.

Original article from

CSCyber Security News· Abinaya
Read Full Article

Share

Related Pings

HIGHMalware & Ransomware

WhatsApp-Delivered VBS Malware Hijacks Windows via UAC Bypass

Microsoft warns of a new malware campaign using WhatsApp to distribute malicious VBS files. Windows users are at risk as attackers gain remote access and escalate privileges. Stay vigilant and avoid executing unknown scripts.

The Hacker News·
HIGHMalware & Ransomware

Infostealer Storm - New Malware Hijacks Sessions Seamlessly

A new infostealer named Storm is making waves in the cybercrime world. It stealthily hijacks sessions and decrypts sensitive data server-side. This poses serious risks to users, especially in corporate environments. Understanding its operation is key to enhancing security measures.

Varonis Blog·
HIGHMalware & Ransomware

EtherRAT - Hackers Hide Malware Infrastructure on Ethereum

Hackers are leveraging EtherRAT to hide malware within the Ethereum blockchain. This sophisticated tool targets various sectors, making detection challenging. Organizations must act quickly to mitigate risks and protect their assets.

Cyber Security News·
HIGHMalware & Ransomware

CrystalX Malware - New MaaS Threat Spotted on Telegram

A new malware named CrystalX is being marketed on Telegram. This Malware-as-a-Service combines RAT and credential stealing features, posing significant risks to users worldwide. Organizations must act quickly to safeguard against this evolving threat.

Cyber Security News·
HIGHMalware & Ransomware

Venom Stealer - New MaaS Fuels ClickFix and Crypto Theft

A new malware-as-a-service, Venom Stealer, is facilitating ClickFix attacks that lead to cryptocurrency theft. Users of popular browsers are at risk. Organizations must implement strong security measures to defend against this evolving threat.

SC Media·
MEDIUMMalware & Ransomware

Malicious Script - Understanding Fileless Malware Persistence

A new malicious script reveals the rise of fileless malware. This stealthy malware minimizes its footprint while ensuring persistence through registry manipulation. Understanding this threat is crucial for effective cybersecurity.

SANS ISC·