Remote Desktop is often used by cybercriminals to perform attacks.
Abuse of Remote Desktop Server
According to her researchers Bitdefender, hackers are exploiting it Windows Remote Desktop Server and install a malicious component in the victim's system, called worker.exe and can be run via explorer.exe or cmd.exe.
Worker.exe can allow a number of commands to be executed including collection of various information system: architecture, CPU model, kernel, RAM size, Windows version. Still, it allows download screenshots, pselect the IP address of the domain of the victim and his other information browser.
Malicious development payloads
After the hackers collect the above information for victim machines, they decide what kind of malicious payload to deploy. For example, if it is corporate network, then they will most likely choose to attack with a ransomware.
Researchers have found that they are used in this campaign various malicious payloads: clipboard stealer payloads, cryptocurrency miners, ransomware miner payloads and AZORult payloads.
According to researchers, the hacking campaign targets victims around the world. However, most of them victims come from Brazil, the United States and Romania. Also, hackers do not target specific industries but try to attack as many victims as possible.
One of the most common types of payloads, in this campaign, are the miners. "Miners have been in use since April 2018 and earlier, but since then a wide variety of tools have been used, especially in the first months of 2019," the researchers said.