Forenzy is a single platform for your Organization’s Security, BEFORE and AFTER getting affected by Cyber Frauds.

Contact Info





Hidden VNC: An innovative response to an issue that was caused by Banking Fraud

HomeEnd-point protectionBlog Hidden VNC: An innovative response to an issue that was caused by Banking Fraud

Hidden VNC: An innovative response to an issue that was caused by

Banking Fraud

I'll wager that very few people are aware of the banking Trojans that are currently being sold on the market, which may be the reason why financial crimes are rising daily.

Form-grabbing, screen-capture, web injections, and other dangerous features are all available in top-tier financial malware like Dridex, Neverquest, and Gozi. The hidden virtual network computing (hVNC) module, which enables attackers to get user-grade access to a compromised PC, is one noteworthy feature.

The banking trojans' remote control capabilities are well known, but how they really exploit them is still a mystery.

Since hidden VNC is one of the trickiest malware features to code and requires programmers to create their own window manager, there aren't as many examples of the original implementation available on the market.

Malware uses hidden virtual network computing(hVNC) as a strategy to secretly take control of a victim's computer. Let's first understand VNC before using our technical knowledge to understand what hVNC actually performs.


Most banks only had basic IP or geo-location checks to flag or block accounts if someone signed in from another computer years ago, when fraud was less widespread. Banking trojans would run a SOCKS proxy server on the victim's PC to prevent this.

Banks developed proprietary fraud detection systems that use a range of checks to uniquely identify the user's systems as fraud as it grew more prevalent. Therefore, a more convenient method of fraud had to be found, that method was of course VNC.

A sort of remote-control software called virtual network computing (VNC) enables users to command another machine over a network connection.

VNC employs a client/server architecture: The server component, which needs to be installed on the remote computer, is connected to using a VNC viewer (or client), which is set up on the local computer.

The server transmits screen shots of the controlled endpoint's desktop to the client via the VNC connection. The victim's endpoint carries out the attacker's commands, and the attacker sees the changes to the screen through the never-ending series of screenshots.

The victim can see everything the attacker does while using a conventional VNC connection, which is the only distinction between VNC and hVNC. The scammers did not like this technique. Therefore, the hVNC was invented.

Hidden VNC:

Malware can construct an undetectable environment for VNC to run by taking advantage of some hidden Windows technologies like CreateDesktop and cross-process window subclassing.

The majority of linux users are undoubtedly already aware of the fact that several distros allow for the simultaneous use of multiple desktops with separate taskbars.

Since 2000, Windows has had the option to create numerous desktops, but it's a little-known capability without a built-in application. Software can establish a hidden desktop and run programmes in the desktop's environment by invoking CreateDesktop.

All running programmes on the hidden desktop won't be visible on other computers and won't even appear in the hidden desktop's taskbar. Sounds straightforward, right?

The majority of VNC software operates by periodically taking screenshots and delivering them back to the client, however Windows does not render any GUI elements to inactive desktops.

The VNC server would need to call EnumDesktopWindows to retrieve a list of the windows currently running on the hidden desktop, then call PrintWindow on each window to write it to a bitmap in reverse Z-Order . This would prevent one from simply taking screenshots of the hidden desktop.

The server is essentially just simulating the screenshot feature by converting each window to a bitmap in the opposite direction of how it appears on the screen.

Sadly, some programmes improperly handle WM PRINT or WM PRINTCLIENT messages, and as a result, all or a portion of the programme will appear as a white rectangle.

The VNC server would need to implement WM PRINT and WM PRINTCLIENT messages on behalf of the application in order to fix issue, making sure that it paints all visible items to the buffer.

This can be accomplished by either leveraging cross-process subclassing to enable the VNC server to handle window messages intended for the target programme from within the VNC process or by injecting code into all processes and hooking specific user32.dll routines.

The connection between hVNC and Fraudster

Remote VNC access is not always malicious. It is employed as a reliable remote assistance tool in numerous settings. VNC is frequently included in financial malware to get around fraud safeguards. A transaction has a higher chance of success if it comes from a recognised user device.

 To solve their issue with VNC, cybercriminals created Hidden VNC. An attacker can open a hidden instance in the form of a virtual desktop and control it covertly behind the scenes instead of taking over the victim’s desktop, even as the unwary victim keeps using the computer.

The hVNC creates a fresh Windows desktop to erase any evidence of remote control of the endpoint. Because this virtual desktop has a separate explorer.exe process, victims are unable to see any processes that have been opened on the new desktop.

The victim’s only view throughout a session is of their desktop. The victim’s screen is hidden from the attacker, who can only access and control his or her own version of the desktop.


One of the main characteristics of financial malware is hidden VNC. Even though it is not brand-new, internet banking fraud uses it frequently still today. In both the presence and absence of actual malware on the victim’s endpoint, cybercriminals exploit remote control in a number of fraud situations.

The user’s screen as well as browser information is recorded by Hidden VNC. It can result in numerous malicious actions taken by the attacker.

It might steal every piece of information you’ve saved in your browser, which could have major consequences that compromise your privacy in addition to causing financial losses.

Be careful when storing credit card or account information on your system. your system can smell like data to someone else.

Leave Comment