A new malware family focuses on going after RDP servers with suspect security.
Trojan.sysscan, discovered by security firm GuardiCore, is a backdoor Trojan that collects data from compromised hosts and exfiltrating it to an attacker’s remote server.
Targeted systems end up infected after the attacker scans the Internet for open RDP ports, which he brute-forces using common username and password combinations.
Poorly secured servers are the optimal targets, and because RDP servers are commonly found in medium-to-large enterprise networks, they have the most potential to suffer from this new threat.
This new Trojan’s coding is in the Delphi programming language and comes with support for dumping passwords from locally installed applications such as browsers, databases, and PoS software, said researchers at GuardiCore.
The Trojan contains specific functions to target credentials used for accounts on banking, gambling and tax websites. It will also target and steal browser cookie files.
The Trojan sets up a hidden administrator account on compromised systems in order to gain boot persistence and makes sure to leave the RDP open for future connections.
Trojan.sysscan contains code to search and identify when the Trojan ends up executed in sandbox environments and virtual machines, said GuardiCore. Nevertheless, the Trojan only detects the presence of these environments and fails to take any action to stop execution or hide its activity.
The data the Trojan collects ends up sent via an unencrypted HTTP request to a remote server. If the transfer fails, often times, the attacker logs in via RDP and copies the data manually.