We’ve been continuously receiving reports of infections, specifically in the APAC and NABU regions, related to a certain malware that uses Remote Desktop Protocol for its propagation.
Detected as WORM_MORTO.SMA , this worm drops its component files into the system, including a DLL file into the system’s Windows folder. The said DLL file, which bears the file name clb.dll, is detected as WORM_MORTO.SM. WORM_MORTO.SM acts as a loader for the malware and places its own clb.dll in the %Windows% folder to exploit the way Windows finds its files. Windows typically loads the %Windows% folder before %System%, where the legitimate clb.dll is placed. In doing so, the malware’s .DLL file is loaded first whenever regedit.exe is executed.
Once WORM_MORTO.SM gets loaded, it decrypts a file that contains the malware’s payload. It searches for Remote Desktop Servers associated with the affected system, and attempt to log in as an administrator using a predefined set of passwords. Once a successful connection is established, it drops a copy of WORM_MORTO.SM into a temporary directory in the system.
Note that dropping files is not the only action a cybercriminal will be able to do once able to connect remotely to the system through RDP. It is designed for a user to be able to access their entire system remotely, thus a cybercriminal being able to connect grants him/her complete access to the system.
According to my colleague Karl Dominguez, it appears that the aim of this attack is indeed to give the attacker full control of the affected system and of the whole network, since the malware logs in using an administrator account. Anything can be done in the system at this point, including information theft, especially if the malware infiltrates servers.
Trend Micro users are protected from this threat as the malicious files are now detected as WORM_MORTO.SMA and WORM_MORTO.SM. Additionally, URLs which this malware uses to connect to its servers are now blocked.
As a form of prevention against this threat, and other similar threats for that matter, users are advised to use a strong password and enable their firewall. Network administrators are also recommended to require a secure VPN connection before allowing users to use the Remote Desktop Connection.
Leave a reply