Qilin ransomware uses a PowerShell script to extract and exfiltrate stored RDP connection records from the Windows registry to plan its lateral movement.
RDP Credential Harvesting
Researchers have identified that the Qilin ransomware operation includes a module specifically designed to extract Remote Desktop Protocol (RDP) authentication history from compromised Windows servers. This component scans the Windows registry for stored credentials related to previous RDP sessions, allowing the attackers to collect a list of usernames and domain addresses that were used to connect to the machine.
The malicious code targets a specific registry key that logs successful connections. By parsing this data, the ransomware can identify high value accounts and network locations that other systems trust. This information is often used to plan lateral movement and privilege escalation within the victim’s environment.
Attack Chain and Impact
Once Qilin gains initial access, it deploys a PowerShell script to enumerate the RDP connection history. The script extracts the `Terminal Server Client` registry entries and writes the findings to a text file. This file is then exfiltrated alongside other stolen data before the encryption payload is executed. No specific CVEs are associated with this technique because it abuses legitimate system functions.
The ability to harvest RDP history significantly amplifies the threat. By understanding which accounts and servers are commonly accessed via RDP, the attackers can pivot more effectively across the network. This technique increases the chances of reaching critical systems and data stores before triggering the encryption phase.
Source: Cyber Security News
