We’ve been continuously receiving infection reports, specifically from the APAC and NABU regions, related to a certain malware that uses Remote Desktop Protocol to propagate.
Detected as WORM_MORTO.SMA, this malware drops its component files, including a .DLL file, which is dropped onto the Windows folder. The said .DLL file, which bears the file name clb.dll, is detected as WORM_MORTO.SM. WORM_MORTO.SM acts as a loader for the malware and places its own clb.dll in the %Windows% folder to exploit the way by which Windows finds files. Windows typically loads the %Windows% folder before the %System% folder where the legitimate clb.dll file is located. By doing so, the malware’s .DLL file is loaded before the legitimate one whenever regedit.exe is executed.
When WORM_MORTO.SM loads, it decrypts a file that contains the malware’s payload. It searches for Remote Desktop Servers associated with the infected system and attempts to log in as an administrator using a predefined set of passwords. Once a successful connection is established, it drops a copy of WORM_MORTO.SM into a temporary directory in the system.
Note that dropping files is not the only action a cybercriminal will be able to do once it remotely accesses the system through RDP. It was designed so a user can remotely access an entire system, thus allowing a cybercriminal to obtain complete access to an infected system.
According to my colleague Karl Dominguez, it appears that this attack aims to indeed give an attacker full control of an infected system and of a whole network since the malware logs in using an administrator account. Anything can be done in the system at this point, including information theft, especially if the malware infiltrates servers.
Trend Micro customers are protected from this threat, as the malicious files are now detected as WORM_MORTO.SMA and WORM_MORTO.SM. In addition, the URLs this malware uses to accesses its servers are now blocked.
As a form of prevention against this threat, and against similar threats, users are advised to use strong passwords and to enable firewall settings. Network administrators are also encouraged to require a secure VPN connection before allowing users to use Remote Desktop Connection.