In 2020 and 2021, Secureworks® Counter Threat Unit™ (CTU) researchers observed several threat groups using the official Tor client to create a backdoor with persistent access to compromised networks via Remote Desktop Protocol (RDP). Third-party researchers documented similar activity during a mid-2018 intrusion. The Tor client can be used to create a local SOCKS proxy that allows proxy-aware applications to access the Tor network. Tor can also create Onion Services (originally known as hidden services) that can then be accessed through the Tor network. The threat actors create an Onion Service that allows a remote attacker to connect to the RDP service on the compromised host.
By default, Tor stores metadata used to maintain a connection to the Tor network in the %APPDATA% or directory. The location of this directory can be changed by modifying the DataDirectory directive in the configuration file. An alternative path to a configuration file can be provided to the Tor client at runtime with the -f command-line parameter. The folder's creation time is the moment Tor was first executed by the user. Within this directory, the "lock" file's modification timestamp matches the time the Tor client was last executed. Tor periodically updates the "state" file; its modification timestamp can vary up to a few minutes from the Tor client's last activity.
While running, the Tor client maintains an open session with the Tor network that brokers inbound connections to the Onion Service. When a remote attacker connects to the onion address and port pair registered as the Onion Service, the con ..
Support the originator by clicking the read the rest link below.
