Chinese-Speaking Underground Leveraging RDP for Carding

Many carding discussions on Chinese-speaking Deep & Dark Web forums have focused on a common topic during the past 12 months: RDP access.

Flashpoint analysts have observed threads on Chinese underground sites dating back to October 2017 related to remote desktop protocol access (RDP) to compromised machines. RDP was developed by Microsoft primarily for remote administration of Windows machines; it’s also supported on a number of other platforms for the same purpose. Criminals have also gravitated to using RDP to remotely access machines, primarily for payment card fraud, money laundering and other associated illicit carding activities. It can also be used for malware distribution, and there is growing interest in using it for cryptocurrency mining.

RDP Dominates Half of Chinese Underground Posts

In the 12-month period starting in October 2017, Flashpoint analysts observed that approximately half of the posts that contain the phrases “RDP,” “远程桌面协议” (“RDP”), or “3389” (Chinese slang for RDP) appear in posts that also contain the phrases “爆破” (brute force), “扫描” (scan), or “字典” (dictionary).

Multiple high-traffic Chinese forums and Chinese-speaking Telegram chat rooms contain these discussions with most of the participants seeking advice about how to gain remote access to machines (which explains the threads about dictionaries and brute-force tools), as well as solicitations for port-scanning tools. Criminals can use port scanners to look for exposed RDP connections to the internet. The brute-force tools are then implemented in order to exploit default or weak credentials guarding these ports.

Flashpoint analysts have also observed in some discussions that criminals are seeking advice about getting into carding and are being pointed toward using RDP rather than proxying connections or running their activity through a virtual private network (VPN).

RDP access to a compromised server or endpoint allows a criminal to obfuscate their identity or location as they carry out illicit activity. Typically, threat actors do not mention specific tactics, techniques, and procedures (TTPs) in forums for gaining illegitimate RDP access to machines when discussing carding schemes. Rather, these actors typically only state that leveraging compromised RDP hosts is an important part of the carding process. However, some threat actors have stated that their carding tutorials or other offerings detail how to obtain RDP access to compromised machines.

One carding tutorial promises video instruction on how to choose and buy the best payment card information, how to roll out an anonymous environment that will obfuscate the carding activity, and how to card using RDP. All communication from this particular vendor is carried out through Telegram.

Telegram Channels a Carding Hotbed

The growth of Telegram usage related to carding and obfuscation tools via RDP is also noteworthy in the Chinese underground. Telegram has been blocked in China as its government has put in place extensive laws that censor what sites and web-based services are available to its citizens. State-owned internet service providers and technology companies implement these restrictions, and legitimate and criminal entities must find other means to access banned services, usually through VPNs or available proxy services. Even those, however, have been restricted in the country to a large degree.

During the past few months, some Telegram channels have become a one-stop shop for carding needs. Rather than separate channels for stolen cards, personal information, and obfuscation tools, Flashpoint analysts have observed at least a half-dozen predominantly Chinese-speaking channels serving all of these needs including RDP tools.

The adoption of Telegram has also made it easier for threat actors from non-Chinese speaking regions to connect with Chinese carders. In fact, many carding tutorials offered in the Chinese-language underground show signs of originating from non-Chinese sources.

Chinese-speaking threat actors who appear very familiar with carding schemes and who provide guidance to novice carders show signs of having gained at least some of their carding knowledge from non-Chinese communities. This, in effect, allows for the continued dissemination of carding TTPs from non-Chinese communities to low-level Chinese-speaking threat actors who would otherwise likely not have access to such information.

Assessment

Flashpoint analysts assess that the current trend of interest and demand related to RDP for carding on Chinese underground forums will continue. The same is likely true for the continued growth of Telegram usage in the Chinese-speaking underground related to carding, as well as the influx of guidance and TTPs from non-Chinese communities to low-level Chinese-speaking threat actors who would otherwise likely not have access to such information.