PandaLabs has recently detected an attack targeting a company in Hungary which did not use any malware as such, but scripts and other tools belonging to the operating system itself in order to bypass scanners.
The attack starts with the attackers launching a brute-force attack against a server with the Remote Desktop Protocol (RDP) enabled. Once they get the computer's login credentials, they have complete access to it.
Then, the first thing that the attackers do is run the sethc.exe file with the parameter 211 from the computer's Command Prompt window (CMD). This turns on the system's “Sticky Keys” feature.
Next, a program called “Traffic Spirit” is downloaded and run. “Traffic Spirit” is a traffic generator application which in this case is used to make extra money out of the compromised computers.
Then, a self-extracting file is launched that uncompresses the following files in the %Windows%cmdacoBin folder:
The attackers then proceed to run the Windows registry editor (Regedit.exe) to add a key contained in the registery.reg file.
This key aims at ensuring that every time the Sticky Keys feature is used (sethc.exe), a file called SCracker.bat gets run. This is a batch file that implements a very simple authentication system.
Running the file displays a login window, and the username and password are obtained from two variables included in the sys.bat file.
This way, the attacker installs a backdoor on the affected machine. With this backdoor, the attacker will be able to connect to the targeted computer without having to enter the login credentials, enable the Sticky Keys feature (for example, by pressing the SHIFT key five times), and enter the relevant username and password to open a command shell.
The command shell shortcuts will allow the attacker to access certain directories, change the console color, and make use of other typical command-line commands.
However, the attack doesn't stop here. In their attempt to make as much profit as possible from the targeted company, the attacker installs a bitcoin miner to take advantage of every compromised computer for free money.
If an attacker can actually access a targeted computer via an RDP connection, what do they need a backdoor for? The answer to this question, according to Panda Security, is quite simple: By installing a backdoor on the affected machine, even if the victim realises that their system has been compromised and changes the Remote Desktop credentials, all the attacker has to do is press the SHIFT key five times to enable Sticky Keys and run the backdoor to be able to access the system again.
“And remember,” says Panda Security, all of this happened without running malware on the affected computer.