Hackers Using Publicly Available Ransomware To Attack the Entire Network By Gaining RDP Access

The cybersecurity firm Kaspersky noted that recently most of the threat actors are using different new ways to leverage ransomware to earn money. threat actors are using the ransomware to attack the entire network by gaining publicly available RDP access and mining Monero with the help of XMRig Miner.

Researchers identified that the Trojan making some unusual attempts to affect the users’ computers. This Trojan was run to open remote desktop protocol (RDP) on the victims’ computers.

The attack behind organized groups and therefore use publicly available ransomware, targeting ordinary users instead of the corporate sector.

Attackers employed a unique technique to expand the payment from the each and every infection systems. In order to perform this operation, threat actors runs an administrator program to add a new user to gain the RDP access to the computer.

Once this operation is done,  the ransomware Trojan-Ransom.Win32.Crusis started on the same machine, followed by the loader of the XMRig miner, which then set about mining Monero cryptocurrency.

It emerged that in August 2020 there were more than 5,000 attempts to install it on users’ computers. The parties responsible for its distribution turned out to be the Prometei malware family and a new family called Cliptomaner.” Kaspersky said.

Eventually, the computer will start to earn money but the user only sees the ransomware notes, additionally, the attacker starts learning the victim’s network to spread the ransomware to other systems.

Cliptomaner miner

Cliptomaner is a public exposure that is utilized by Microsoft Security Essentials, Windows Defender, and other anti-virus outcomes for a file that resembles to have trojan-like functions or performance and also uses XMRig to mine Monero.

The Cliptomaner is created to mine cryptocurrency, but it also replaces the crypto wallet locations saved on the operating system’s clipboard.

According to the report from Kaspersky, the Cliptomaner is detected in September 2020, and this new miner version is chosen according to the computer configuration that are downloaded from the C&C server. In this new version, there are many new techniques, but the exciting part is that Cliptomaner is written only in the AutoIT scripting language. 

Prometei backdoor

Prometei is a modular brute that is generally used in the targeted attacks against the Windows Server systems. Prometei backdoor is active since 2016, and it was written in C++ and .NET language. 

Prometei backdoor tries to enroll devices into a botnet to later use it to mine various kinds of cryptocurrencies, including Bitcoin and Monero. The cybersecurity researchers have detected Prometei backdoor together with XMRig for the first time in February 2020. 

This time the backdoor was divided unusually, and through ordinary attacks, the cybercriminals gain server access by various exploits. Not only this, even this time, the backdoor also used brute-force attacks.

According to Kaspersky’s report, there were over 5,000 trials performed to install the XMRig on users’ computers in August 2020. That’s why the users can apply some protection methods to improve the situation. Moreover, the developers of miners have had to enhance their productions, usually converting to non-trivial solutions.

Indicators of compromise (IoC)



Cryptowallets used for substitution

ETH: 0x795957d9753e854b62C64cF880Ae22c8Ab14991b
ZEC: t1ZbJBqHQyytNYtCpDWFQzqPQ5xKftePPt8
DODGE: DEUjj7mi5N67b6LYZPApyoV8Ek8hdNL1Vy



BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.