An emerging threat campaign has been identified that weaponizes a trojanized version of DeskSoft’s EarthTime application to deploy sophisticated malware, leveraging Remote Desktop Protocol (RDP) access for command execution and network reconnaissance.
Security analysts attribute the intrusion to an affiliate operating across multiple ransomware-as-a-service groups and noted that the incident underscores the growing trend of supply-chain–style lures combined with living-off-the-land techniques.
In September 2024, a user inadvertently downloaded an EarthTime installer from what appeared to be DeskSoft’s official site.
Upon execution, the binary—signed with a revoked certificate from “Brave Pragmatic Network Technology Co., Ltd.”—deployed the SectopRAT remote access trojan.
Attackers exploited a CWE-427 uncontrolled search path element in the installer to bypass integrity checks, as the malicious payload was dropped when the installer looked for resource files in the current directory.paste.txt.
This binary initiated a chain of execution leading to the deployment of SecTopRat, a .NET-based remote access trojan (RAT) with information-stealing capabilities.
A secondary payload—SystemBC disguised as WakeWordEngine.dll—was then staged in C:UsersPublicMusic and executed via rundll32.exe to establish a proxy tunnel for RDP connections.
The malicious chain enabled the adversary to bypass perimeter controls and traverse the network without raising elevated privilege alerts.
RDP-Driven Reconnaissance
With the SystemBC tunnel in place, the threat actor connected to internal hosts using RDP, adopting various built-in and third-party tools for discovery and lateral movement. Key tools included:
| Tool or Technique | Purpose | Observation |
|---|---|---|
| AdFind | Active Directory subnets enumeration | Queried CN=Subnets for network topology data |
| SharpHound (renamed sh.exe) | BloodHound data collection | Generated 1,271 DNS A requests and wrote BloodHound files |
| SoftPerfect NetScan | Network port scanning | Scanned RPC, SMB, RDP across 46 IPs |
| Impacket wmiexec | Remote command execution over WMI | Spawned cmd.exe on domain controller for enumeration |
RDP sessions frequently exhibited logon type 3 followed by logon type 10 events, corroborating the use of SystemBC proxies to pivot across systems.
The EarthTime.exe binary was executed from the Downloads folder. The parent process was explorer.exe, suggesting it was executed by the victim clicking on the executable. EarthTime.exe appeared to be mimicking the legitimate EarthTime application by DeskSoft.
During these sessions, the actors performed DCSync attacks to extract domain credentials and used PsExec with SYSTEM privileges to deploy additional SystemBC instances.
On the sixth day of the intrusion, MSBuild.exe wrote a new executable, ccs.exe, identified as the multifunctional Betruger backdoor.
Masquerading as Avast Antivirus, Betruger injected into 172 processes to harvest credentials, capture screenshots, and perform network reconnaissance.
Concurrently, a loader DLL named vhd.dll was deployed, requiring a decryption key to execute its hidden payload, though its capabilities remain under analysis.
After injection, the malicious MSBuild.exe process reached out to Pastebin to retrieve its C2 configuration.
Once executed, SectopRAT injected itself into MSBuild.exe (a legitimate Microsoft-signed process) and retrieved its C2 configuration from Pastebin, initiating communication with IP 45.141.87.55 over ports 9000 and 15647.
Defense evasion was achieved through timestomping (manipulating file timestamps to 2037), disabling Microsoft Defender via registry modifications under HKLMSOFTWAREPoliciesMicrosoftWindows Defender, and masquerading custom tools (GT_NET.exe and GRB_NET.exe) with spoofed SentinelOne and Avast metadata.
Exfiltration and Implications
Before eviction, the adversary systematically archived high-value directories with WinRAR and transferred them via unencrypted FTP using WinSCP to IP 144.202.61.209.
WakeWordEngine.dll/conhost.dll processes were observed communicating with 149.28.101.219 over port 443.
Packet captures revealed clear-text credentials and file transfers lasting approximately 15 minutes, highlighting the dangers of legacy protocols in modern environments.
Although ransomware deployment was not observed, the presence of Grixba reconnaissance outputs linked to Play and DragonForce groups, combined with Betruger’s RansomHub affiliations, indicates preparation for extortion operations.
This intrusion exemplifies a convergence of social engineering, proxy-assisted RDP compromise, and a multi-stage malware arsenal designed for stealth and rapid data theft.
Security teams should prioritize strict application whitelisting, registry monitoring for Defender policy changes, and network segmentation to restrict RDP tunnels.
Enhanced detection of living-off-the-land tool usage—particularly anomalous MSBuild.exe and rundll32.exe chains—can mitigate similar attacks in the future.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
