New Cyber Attack Weaponizes DeskSoft to Deploy Malware Leveraging RDP Access to Execute Commands

Cybersecurity

New Cyber Attack Exploits DeskSoft Software

A recent cyber attack has been identified targeting organizations through the malicious impersonation of DeskSoft’s EarthTime application. This attack deploys various malware families as part of a coordinated ransomware operation. The technique involves leveraging legitimate software to gain persistent access to enterprise networks.

Attack Methodology

The attack initiates when users download and execute a seemingly legitimate copy of the EarthTime world clock utility by DeskSoft. Instead, this executable deploys SectopRAT malware, establishing an initial command and control channel. This method exploits users’ familiarity with legitimate software, effectively bypassing initial security awareness measures.

The attack employs multiple malware families, including SystemBC for proxy tunneling and the Betruger backdoor for additional capabilities. Analysts have identified connections to three major ransomware operations—Play, RansomHub, and DragonForce—suggesting a cross-group affiliate operation across multiple ransomware-as-a-service platforms.

Persistence and Lateral Movement

Following initial compromise, attackers establish persistence through startup folder shortcuts and create local administrative accounts. The malware chain uses reconnaissance tools such as AdFind, SharpHound, and SoftPerfect NetScan for comprehensive environment mapping before lateral movement activities commence.

The primary lateral movement mechanism relies on Remote Desktop Protocol connections, supplemented by Impacket’s wmiexec utility. This combination allows attackers to traverse network segments while maintaining operational security through SystemBC’s proxy capabilities.

Advanced Persistence and Evasion Mechanisms

The malware exhibits sophisticated defense evasion techniques, complicating detection and remediation efforts. The initial EarthTime.exe executable employs process injection to compromise legitimate Windows processes, specifically targeting MSBuild.exe for payload execution. This technique allows execution within the context of a trusted Microsoft binary, potentially evading security solutions reliant on process reputation.

The persistence mechanism involves a multi-stage approach using Windows Background Intelligent Transfer Service. The malware relocates itself to C:\Users\<USER>\AppData\Roaming\QuickAgent2\ChromeAlt_dbg.exe, masquerading as a Chrome debugging utility, and creates a startup shortcut to ensure execution persistence across system reboots.

Additional techniques include timestamp manipulation, which modifies file creation timestamps to complicate forensic analysis. Registry modifications target Windows Defender’s core functionality, disabling real-time scanning, behavior monitoring, and network protection features at the policy level within HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\.

The malware employs metadata spoofing to impersonate legitimate security products, with binaries containing falsified version information referencing SentinelOne and Avast Antivirus. Data exfiltration occurs through unencrypted FTP connections, allowing network monitoring solutions to capture credentials and transfer details in clear text, aiding incident response efforts.