Cybersecurity researchers from ASEC (Ahnlab Security Emergency Response Center) have discovered that the operators of the Crysis program are actively using a program called Mr. Venus in their operations.
Crysis and Venus are well known for targeting remote desktop services (Remote Desktop Protocol, RDP) that are accessible on the Internet. The attackers launch their attacks through RDP using Ahnlab Smart Defense (ASD) magazines.
The attackers use RDP as a way to find active and accessible systems. Once they identify vulnerable systems, they carry out either a brute force attack or a dictionary attack on the weak account data, which allows them easy access to the system.
After gaining access, the Venus program uses RDP as a vector of attack by generating various types of malware through the legitimate Windows Explorer process “Explorer.exe”.
Furthermore, the attacker also uses the Crysis Mrown Program for network attacks, specifically targeting RDP services that are open from the outside. If successful, the hacker infects the targeted systems with the Crysis-Machine Program through RDP.
Once the system is infected, the attacker deploys various scanners and tools, including a Port Scanner and Mimikatz, to steal accounting data. They also use RDP to scan the network and determine if the infected system belongs to a specific network. If it does, the Mr. program conducts internal intelligence, collects accounting data, and encrypts other systems on the network, allowing for lateral movement within the network.
Once launched, the Crysis program displays a purchase note, while Venus displays a ransom note. Users are given 48 hours to establish contact.
These attacks serve as a reminder that carrier programs pose a serious threat to data security and businesses. They also highlight how attackers can utilize RDP for system penetration and the spread of malicious programs. Users are advised to regularly update their software, use complex passwords for RDP services, back up their data, and exercise caution when opening unknown attachments or links.