Russian Hackers Deploy ‘CTRL’ Toolkit for Stealthy RDP Hijacking
A sophisticated remote access toolkit named CTRL has been identified as a tool used by Russian-linked cyber actors to hijack Remote Desktop Protocol (RDP) sessions and extract credentials from Windows systems. This custom .NET framework integrates multiple malicious functionalities, including phishing, keylogging, reverse tunneling, and persistence mechanisms, into a cohesive attack strategy.
Discovery and Attribution
The cybersecurity firm Censys ARC uncovered the CTRL toolkit during routine open directory scans. Researchers stumbled upon a malicious LNK file alongside three .NET payloads hosted on the domain hui228[.]ru. Notably, this framework was absent from public malware repositories and major threat intelligence feeds at the time of discovery, indicating its potential use in targeted operations rather than widespread distribution.
Analysis of the toolkit revealed Russian-language strings and development artifacts, suggesting a Russian-speaking developer’s involvement. The malware’s compatibility with modern Windows systems, including recent releases, indicates ongoing development and adaptation to current environments.
Attack Methodology
The attack initiates with a weaponized shortcut file (LNK) masquerading as a folder, often labeled to resemble a private key archive. Upon execution, this LNK file triggers concealed PowerShell code that decodes and executes a multi-stage loader entirely within the system’s memory, thereby evading traditional detection mechanisms.
Subsequently, the malware embeds its payloads within Windows registry keys associated with Explorer-related paths, allowing them to blend seamlessly with legitimate system data. The stager component establishes scheduled tasks, modifies firewall rules, downloads additional modules, and configures the system for sustained unauthorized access.
To escalate privileges, the malware exploits a User Account Control (UAC) bypass by manipulating registry settings and leveraging a signed Microsoft binary. Once elevated, it installs the remaining components of the toolkit and ensures persistence across system reboots.
RDP Hijacking and Credential Theft
A particularly alarming feature of CTRL is its capability to enable concealed RDP access. The malware modifies the termsrv.dll file and installs RDP Wrapper, allowing attackers to establish concurrent remote desktop sessions without the victim’s knowledge.
The toolkit also deploys a counterfeit Windows Hello PIN prompt that closely mimics the authentic Windows interface, displaying the victim’s actual account details. This phishing window validates stolen PINs against the legitimate authentication process, effectively capturing sensitive credentials.
In addition to these tactics, the malware operates a background keylogger and facilitates command execution through a named pipe labeled ctrlPipe. This setup enables the attacker to control the compromised machine locally via the hijacked RDP session, reducing the need for more detectable command-and-control channels.
Stealth and Network Evasion
To minimize network visibility, CTRL utilizes Fast Reverse Proxy (FRP) to establish reverse tunnels back to attacker-controlled infrastructure. This approach helps the malware avoid typical beaconing patterns associated with conventional remote access trojans, making detection more challenging.
The infrastructure associated with this malware includes IP addresses 194.33.61.36 and 109.107.168.18, as well as the domain hui228[.]ru. These elements serve as payload hosts and FRP relay servers, facilitating the attacker’s operations while leaving minimal network traces.
Indicators of Compromise (IoCs)
Organizations should be vigilant for the following IoCs associated with the CTRL toolkit:
– IP Addresses:
– 194.33.61.36: Utilized for payload hosting and as an FRP relay server.
– 109.107.168.18: Functions as a secondary FRP relay on port 7000.
– Domain:
– hui228[.]ru: Employed for command-and-control operations via dynamic DNS.
Mitigation Strategies
To defend against threats like the CTRL toolkit, organizations are advised to implement the following measures:
1. User Education: Train employees to recognize and avoid phishing attempts, particularly those involving suspicious LNK files or unexpected authentication prompts.
2. System Hardening: Regularly update and patch Windows systems to address known vulnerabilities that could be exploited by such malware.
3. Network Monitoring: Deploy advanced monitoring tools to detect unusual network activities, such as unauthorized RDP sessions or unexpected reverse tunneling.
4. Access Controls: Enforce strict access controls and least privilege principles to limit the potential impact of compromised accounts.
5. Incident Response Planning: Develop and regularly update incident response plans to swiftly address potential breaches and minimize damage.
By adopting these proactive measures, organizations can enhance their resilience against sophisticated threats like the CTRL toolkit and safeguard their systems from unauthorized access and data exfiltration.
