Threat actors breaching company networks are deploying a cornucopia of malware over the remote desktop protocol (RDP), without leaving a trace on target hosts.
Cryptocurrency miners, info-stealers, and ransomware are executed in RAM using a remote connection, which also serves for exfiltrating useful information from compromised machines.
Exploiting Windows RDS features
The attackers leveraged a feature in Windows Remote Desktop Services that allows a client to share local drives to a Terminal Server with read and write permissions.
These drives appear on the server as a share on a virtual network location called 'tsclient' followed by the letter of the drive and can be mapped locally.