Jump to content

Windows Remote Desktop Services Used for Fileless Malware Attacks


Recommended Posts


Threat actors breaching company networks are deploying a cornucopia of malware over the remote desktop protocol (RDP), without leaving a trace on target hosts.

Cryptocurrency miners, info-stealers, and ransomware are executed in RAM using a remote connection, which also serves for exfiltrating useful information from compromised machines.

Exploiting Windows RDS features

The attackers leveraged a feature in Windows Remote Desktop Services that allows a client to share local drives to a Terminal Server with read and write permissions.

These drives appear on the server as a share on a virtual network location called 'tsclient' followed by the letter of the drive and can be mapped locally.


The feature has been around for a long time, and properly explained what happens when a user connects to the server and runs an application.

Access to the resources shared this way is possible through RDP and no trace is left on the client machine's disk as applications execute in memory. When an RDP session terminates, so do associated processes and memory is typically released.


Toward the end of the article is the following "tidbit" that brute force attacks are only one of many ways local access can be gained:


Original point of compromise

From their findings, the researchers could not work out how the attacker gained access to the network in the first place or how they managed to plant 'worker.exe' on the 'tsclient' share.

Also a mystery is how the adversary got valid RDP credentials to access a victim host; bruteforcing being is one possibility.

It is important to note that professional network intruders that break into the digital perimeter of a company often advertise their access on underground forums.

Cybercriminals interested in any of the targets can pay between a few hundred USD to thousands and more for access, or to have their malware dropped.

This is a typical scenario for ransomware affiliates who many times partner with such access-as-a-service providers to get to large targets that can be asked to pay a higher ransom to have their files decrypted.


Edited by itman
Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...