Desktop sharing software is a popular tool used by malicious cyber actors engaged in targeted social engineering attacks, as well as large scale, indiscriminate phishing campaigns. Corrupt insiders with vindictive and/or larcenous motivations can also use the software to victimize employers. Desktop sharing software gives cyber actors the ability to exercise remote control over computer systems and drop files onto victim computers, making it functionally similar to other Remote Access Trojans (RATs). Desktop sharing software’s legitimate use, however, makes its presence less suspicious to end users and system administrators compared to typical RATs.
The FBI has observed corrupt insiders and outside cyber actors using desktop sharing software to victimize targets in a range of organizations, including those in the Financial Services and Information Technology sectors. Cyber actors monetize this activity through the following techniques:
- Using access granted by desktop sharing software to perform fraudulent wire transfers.
- Injecting malicious code, which allows the cyber actors to hide desktop sharing software windows, protect malware files from being detected, and control desktop sharing software startup parameters to obfuscate their activity.
- Moving laterally across a network to increase the scope of activity.
The following measures may help protect against this scheme:
- Use strong passwords to protect Remote Desktop Protocol (RDP) credentials
- If possible, use multiple factor authentication
- Audit logs for all remote connection protocols
- Train users to identify and report attempts at social engineering
- Identify and suspend access of users exhibiting unusual activity
- Keep software updated