Cloud Atlas APT Group Enhances Stealth with termsrv.dll Modification for Multiple RDP Sessions
The Cloud Atlas advanced persistent threat (APT) group, active since at least 2014, has recently intensified its cyber espionage activities by employing a sophisticated technique that modifies the Windows system file `termsrv.dll`. This modification enables multiple concurrent Remote Desktop Protocol (RDP) sessions on compromised systems, allowing attackers to maintain a persistent and stealthy presence without disrupting legitimate user activities.
Background on Cloud Atlas
Cloud Atlas has a history of targeting government agencies and diplomatic organizations, particularly in Eastern Europe and Central Asia. The group’s campaigns have evolved over time, incorporating advanced tactics to evade detection and maintain long-term access to sensitive networks.
Initial Attack Vector
The group’s recent campaigns typically begin with phishing emails containing malicious attachments. These emails often include ZIP archives with shortcut files that, when executed, run PowerShell scripts from external servers. These scripts establish persistence, deploy decoy documents to distract users, and install various payloads, including backdoors like VBCloud and reconnaissance tools such as PowerShower.
Modification of termsrv.dll
Once inside a network, Cloud Atlas employs a PowerShell script named `rdp_new.ps1` to modify the `termsrv.dll` file on Windows 10 systems. This file controls the behavior of the Remote Desktop service, which by default limits the system to a single concurrent RDP session. The script performs the following actions:
1. Firewall Configuration: Adds a rule to allow RDP traffic and relaxes remote access security settings.
2. File Ownership and Permissions: Takes ownership of `termsrv.dll` and grants full access rights to the script.
3. Byte Sequence Replacement: Replaces specific byte sequences within `termsrv.dll` to remove the single-session restriction.
4. Service Restart: Restarts the RDP service to apply the changes.
This modification allows attackers to establish multiple RDP sessions concurrently, enabling them to operate in the background while legitimate users continue their activities, thereby reducing the likelihood of detection.
Implications and Detection Challenges
By altering a trusted system file, Cloud Atlas effectively bypasses many traditional security measures that monitor for unauthorized software installations or suspicious processes. This technique underscores the need for advanced detection strategies that can identify subtle changes to system files and unusual network behaviors.
Recommendations for Mitigation
To defend against such sophisticated attacks, organizations should consider implementing the following measures:
– Regular System Integrity Checks: Monitor critical system files for unauthorized modifications.
– Enhanced Network Monitoring: Detect unusual RDP session activities and concurrent sessions.
– User Education: Train employees to recognize phishing attempts and avoid executing unknown attachments.
– Patch Management: Keep systems updated to mitigate vulnerabilities exploited by attackers.
By adopting a comprehensive security posture that includes these strategies, organizations can better protect themselves against the evolving tactics of APT groups like Cloud Atlas.
