HardBit 4.0 Exploits Exposed RDP and SMB Services for Long-Term Network Control

The notorious HardBit ransomware family, first detected in 2022, has released a new variant, HardBit 4.0, that demonstrates enhanced obfuscation, ransomware execution control, and destructive capabilities.

Unlike other ransomware gangs, HardBit does not operate a data leak portal and focuses purely on encryption or data destruction for extortion.

Neshta Dropper and Execution Approach

The latest version of HardBit employs Neshta, a legacy Windows file infector active since 2003, as a dropper to deploy the ransomware payload.

When executed, Neshta reads its embedded ransomware binary, decrypts it, writes it into the %TEMP% directory, and launches it via ShellExecuteA.

To ensure persistence, it copies itself to %SYSTEMROOT%svchost.com and edits the Windows Registry so that every .exe file opened triggers the malicious binary.

HardBit 4.0 introduces a passphrase protection mechanism that prevents analysis and unauthorized execution.

The malware requires a decoded authorization key and an encryption key at runtime, which are decoded using an RSA Decoder tool with a private key file. Without this key pair, the malware won’t run, complicating automated and sandbox analysis by researchers.

The malware is distributed in both CLI and GUI versions, catering to attackers with different skill levels.

Uniquely, the GUI version features a “Wiper” mode, activated via a configuration file named hard.txt, which permanently erases data rather than encrypting it, a feature believed to be offered as an optional add-on to operators.

Lateral Movement and Defense Evasion

While the exact infection vector remains unclear, attackers reportedly gain initial access by brute-forcing RDP and SMB services using tools like NLBrute.

Once a foothold is established, a custom batch script named !start.bat deploys Mimikatz to extract credentials and saves the output to Result.txt. These credentials enable the attackers to move laterally across the network via RDP.

During the reconnaissance phase, threat actors execute KPortScan 3.0, Advanced Port Scanner, and 5-NS new.exe to identify open ports and accessible network shares.

HardBit 4.0 further turns off Windows Defender protections via registry modifications and PowerShell commands, disabling features such as Real-Time Monitoring, Tamper Protection, and Anti-Spyware.

Before encryption, the ransomware stops critical security and backup services using commands such as net stop and deletes shadow copies using vssadmin and bcdedit to prevent recovery efforts.

The final payload encrypts data, changes desktop wallpapers, and replaces file icons with its signature branding.

Picus Security experts recommend validating defenses against HardBit 4.0 through ransomware simulation tools and monitoring exposed RDP or SMB services to prevent similar compromises.

Follow us on Google News , LinkedIn and X to Get More Instant Updates, Set Cyberpress as a Preferred Source in Google.

The post HardBit 4.0 Exploits Exposed RDP and SMB Services for Long-Term Network Control appeared first on Cyber Security News.