Threat actors use Remote Desktop Protocol (RDP) to gain unauthorized access to computers and networks, fully control systems, extract sensitive data, and implant malware, among other things.
Cybersecurity researchers at ASEC recently discovered that MultiRDP malware lets multiple attackers connect with RDP by patching memory.
AhnLab Security Intelligence Center (ASEC) is responding to SmallTiger Malware attacks against South Korean businesses, including defense contractors, automobile part manufacturers, and semiconductor companies.
MultiRDP Malware
The attacks were initially discovered in November 2023 and appeared to be related to the Kimsuky group but differed in that they utilized software updaters for lateral movement and installed Andariel’s DurianBeacon backdoor.
They resumed in February 2024, replacing the final payload with the SmallTiger downloader.
Despite the use of known malware strains, these ongoing campaigns employing SmallTiger for malware distribution reveal how threat actors have changed their tactics toward South Korean industries.
In November 2023, researchers discovered the Kimsuky and Andariel groups exhibiting tactics in attacks that used the MultiRDP malware to enable multiple RDP connections and the Metasploit Meterpreter backdoor.
To move laterally, the threat actor dropped a service known as “mozillasvcone” through software updater programs, which loaded an encrypted DLL.
With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis
This DLL decrypted and executed additional files directly in memory with which an updated edition of DurianBeacon RAT, formerly attributed to Andariel, was deployed.
The evolving techniques used by these threat actors against their targets are indicated by the multistage infection process that combines unknown delivery mechanisms with familiar malware families.
Organization of the DurianBeacon RAT, “The new Go” developed DurianBeacon RAT operating over SSL after the initial access was spread for internal Structure Control along with the mobility, self-erasure features, and SOCKS proxy.
Since February 2024, the same threat actor has utilized different software exploiting a vulnerability, a downloader malware identified as SmallTiger, to download and load the subsequent payload in memory.
Credential theft was also attributed to the use of Mimikatz and ProcDump.
On April 8, 2024, another SmallTiger different from the previous ones downloaded JavaScript from the C2 and created the payload exploiting an alternate data stream to run it.
It is important to note that GitHub hosted SmallTiger distribution in May 2024.
Although the threat actor actively employed known malware that includes DurianBeacon and SmallTiger, along with the media intrusion, it introduced alterations in the delivery mechanisms and new features, illustrating a persistent need to monitor the threats and introduce newer defense mechanisms.
ASEC confirmed attacks on South Korean companies distributing SmallTiger in November 2023.
One should be cautious of unknown email attachments and downloaded executables as they may contain SmallTiger.
Companies should improve their security monitoring and implement vulnerability patches. To avoid infection with malware, users should ensure they install the latest operating system, browser, and V3 patches.
Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo