In the last three years, hackers unknowingly seeking data or malware deployment have found a seemingly vulnerable virtual machine that is hosted in the U.S., which in reality, is a cleverly designed trap.

While this cleverly designed, trap has been implanted by cybersecurity researchers to trick the hackers and make them reveal their dark secrets with the help of a honeypot.

Over 2,000 hackers breached a machine, letting GoSecure experts invisibly record their actions, including:-

  • Screen activity
  • Mouse clicks
  • Data grabs
  • Metadata

Trap for Hackers

Using their RDP interception tool, GoSecure gathered extensive info on attackers, shared in a groundbreaking presentation at BlackHat USA:-

  • I Watched You Roll the Die: Unparalleled RDP Monitoring Reveal Attackers’ Tradecraft

While this story includes luring, understanding, characterizing, and dealing with threat actors to shift focus to advanced threats.

Threat actors like ransomware groups, exploit Remote Desktop Protocol (RDP) actively. That’s why to examine this; experts have crafted PyRDP, an open-source interception tool with the following key capabilities:-

  • Unmatched screen
  • Track Keyboard
  • Monitor mouseclicks
  • Clipboard data collection
  • File collection
FREE Webinar

API Security Fundamentals: How to Discover, Scan and Protect APIs

API Attacks Have Increased by 400% – Understand the Fundamentals of Protecting Your APIs with a Positive Security Model – Register Now for a Free Webinar

Data captured

Moreover, security researchers at GoSecure built and set up a custom-designed cloud-based honeynet trap with RDP Windows servers and then ran them for 3-years.

Within a span of 3-years, they managed to accumulate several essential data and more than 190 million events which include:- 

  • 100 hours of video footage
  • 470 files collected from threat actors
  • Over 20,000 RDP captures 

Grouping Hackers

All the data that are gathered by the security analysts are used to categorize the hackers into different specified groups based on their behavior.

Here below we have mentioned all the groupings of the hackers:-

  • Rangers: This group extensively explores folders, assesses performance, and conducts reconnaissance through clicks or scripts, likely assessing compromised systems for future attacks.

Watch them in action:-

  • Thieves: This group exploits RDP access, taking control by altering credentials and engaging in various monetization activities, including traffmonetizer, pay-to-surf browsers, crypto miners, and Android emulators for mobile fraud.
  • Barbarians: This group employs a diverse toolkit for widespread brute-force attacks, leveraging compromised systems with IP lists, usernames, and passwords.
  • Wizards: This group cleverly uses RDP access as a portal for connecting to other similarly compromised computers, enhancing their operational security. Skillfully leveraging ‘living off the land’ techniques, so, monitoring them is important for in-depth threat intel.

Watch them in action:-

  • Bards: This group lacks hacking skills and uses the system for simple tasks, possibly buying RDP access from Initial Access Brokers (IABs) who compromise it.

However, this GoSecure showcase highlights the vast potential of RDP for research, law enforcement, and defense teams. Legal interception of ransomware RDP setups aids investigations through recorded session intelligence.

Keep informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.


Please enter your comment!
Please enter your name here