Cyber Attack

Researchers Discovered a New Method that Let Hackers to Run Malicious Code Via RDP

Security researchers from Cymulate discovered a new hidden malware defense evasion technique that let hackers run malicious code using Microsoft’s Remote Desktop Protocol (RDP) using the DLL Side-Loading technique.

While analyzing MSTSC and RDP they observed this unique technique that lets attackers bypass the security controls.

Malicious Code Via RDP

With windows machine to run RDP Microsoft Terminal Services Client (MSTSC) is used and this MSTSC relies on a DLL file (mstscax.dll) as one of its resources.

Cymulate identified that “Microsoft Terminal Services Client (MSTSC) performs delay-loading of mstscax.dll with a behavior that can result in hackers bypassing security controls. The executable explicitly loads “mstscax.dll” with no integrity checks to validate the library’s code.”

An attacker could use this blind spot to replace the “mstscax.dll” that present in the C:\Windows\System32 folder or by copying it to an external folder that doesn’t require admin privileges.

This is possible according to researchers as “mstsc.exe does not explicitly load the DLL from the system32 folder.”

“This behavior leads to the ability of an adversary to execute malicious code in the context of digitally signed Mstsc.exe and therefore bypass security controls such as AppLocker.”

The vulnerability has been reported by Cymulate to Microsoft who declined to patch and informed that “System32 requires admin privileges and is therefore not a perceived threat.”

“Enterprises need to be immediately made aware of this threat to mitigate attacks as it will bypass security controls,” said Cymulate’s CTO Avihai Ben-Yossef.

Hackers can take advantage of the fact that most security controls are not securing mstsc.exe as it was signed by Microsoft.

To mitigate this threat users are recommended to disable the use of mstsc.exe and to monitor the malicious abnormal behavior being executed by mstsc.exe.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Guru Baran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Multiple Splunk Vulnerabilities Attackers Bypass SPL Safeguards : Patch Now

Splunk Inc. has disclosed two significant vulnerabilities within its software suite, posing a considerable risk…

2 hours ago

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report that highlights…

15 hours ago

C2A Security’s EVSec Risk Management and Automation Platform Gains Automotive Industry Favor as Companies Pursue Regulatory Compliance

In 2023, C2A Security added multiple OEMs and Tier 1s to its portfolio of customers,…

16 hours ago

Apple ID “push bombing” Attack Targeting Apple Users to Steal passwords

Apple users are falling prey to a sophisticated phishing campaign designed to hijack their Apple…

18 hours ago

Hackers Using Weaponized Virtual Hard Disk Files to Deliver Remcos RAT

Hackers have been found leveraging weaponized virtual hard disk (VHD) files to deploy the notorious…

19 hours ago

NVIDIA ChatRTX For Windows App Vulnerability Let Attackers Escalate Privilege

A security update released by ChatRTX on March 26th, 2024, addresses two vulnerabilities (CVE-2024-0082 and…

23 hours ago