Throughout 2018 and 2019, malicious cyber actors used desktop sharing software to facilitate a range of network intrusion activities, using both authorized and unauthorized installations to gain control of victim systems and access to otherwise inaccessible files. Desktop sharing software has multiple legitimate uses, enabling telework, tech support, and file transfers, but can also be exploited through malicious actors’ use of social engineering tactics and other illicit measures. Specifically, cyber actors typically convince victims to voluntarily download and install the desktop sharing software, often through the guise of providing technical support or with the assistance of corrupt insiders. Cyber actors also use stolen credentials to access victim systems through existing desktop sharing software installations. This gives cyber actors complete control over an affected system, enabling them to perform a range of malicious activities.
Desktop sharing software is a popular tool used by malicious cyber actors engaged in targeted social engineering attacks, as well as large scale, indiscriminate phishing campaigns. Corrupt insiders with vindictive and/or larcenous motivations can also use the software to victimize employers. Desktop sharing software gives cyber actors the ability to exercise remote control over computer systems and drop files onto victim computers, making it functionally similar to other Remote Access Trojans (RATs). Desktop sharing software’s legitimate use, however, makes its presence less suspicious to end users and system administrators compared to typical RATs. Roll-Call has observed corrupt insiders and outside cyber actors using desktop sharing software to victimize targets in a range of organizations, including those in the Financial Services and Information Technology sectors. Cyber actors monetize this activity through the following techniques:
Using access granted by desktop sharing software to perform fraudulent wire transfers.
Injecting malicious code, which allows the cyber actors to hide desktop sharing software windows, protect malware files from being detected, and control desktop sharing software startup parameters to obfuscate their activity.
Moving laterally across a network to increase the scope of activity.
The following measures may help protect against this scheme:
Use strong passwords to protect Remote Desktop Protocol (RDP) credentials
If possible, use multiple factor authentication
Audit logs for all remote connection protocols
Train users to identify and report attempts at social engineering
Identify and suspend access of users exhibiting unusual activity
Keep software updated