Researchers have uncovered a year-long, highly targeted cyber-attack utilizing custom malware called RDStealer. The bespoke malware campaign against an East Asian IT company has been active for more than a year with the intent to compromise credentials and exfiltrating data.
What is the threat?
RDStealer is a unique malware that is designed to steal data from shared drives accessible through Remote Desktop Protocol (RDP) connections. Upon successful exploitation, threat actors can infect remote desktop servers with the malware which uses the ‘device redirection’ feature to its advantage. RDStealer is comprised of a keylogger, persistence establisher, data exfiltration, clipboard content capturing tool, and a module that controls encryption functions, logging, and file manipulation utilities.
Attackers are using a variety of tactics and techniques to evade detection, including sideloading DLLs and storing malware in commonly used folders. One example is %PROGRAM_FILES_x86%\dell\commandupdate\ – using folders that are less suspicious to contain the malware to evade endpoint protection solutions detection. These folders are often excluded from security scans which allows the malicious software to remain undetected. Additionally, threat actors have registered command-and-control (C2) domains such as “dell-a[.]ntp-update[.]com” to further blend in.
Why is it noteworthy?
RDStealer, according to researchers, is unique in its behavior. Threat actors initially relied on common remote access trojans, like AsyncRAT and Cobalt Strike to gain access, but has transitioned to bespoke malware during early 2021 to late 2022 to evade detection. RDStealer uses a custom backdoor named Logutil that allows for remote code execution and file manipulation on a compromised device. Keyloggers is common, but the ability to “monitor incoming RDP connections and compromise a remote machine if client drive mapping is enabled” is what makes RDStealer stand out.
What is the exposure or risk?
The RDStealer malware poses a significant risk to organizations that use RDP to access shared drives. With the increase in remote work over the past few years, RDP will remain prevalent for remote access, despite its security risks. While a useful tool, Internet-facing RDP servers are among the most targeted online services as they provide a foothold to an organization’s network. Once a threat actor gains access, they can easily use the entry way to spread laterally throughout the corporate network.
What are the recommendations?
Barracuda SOC recommends the following actions to prevent and protect against this and similar attacks:
- If you are using Remote Desktop Protocol for remote access in your environment, implement best practices. This includes eliminating externally facing RDP servers, encrypted RDP sessions, restricting access to only certain users (certificate-based authentication is best!), network segmentation, and more.
- Use an endpoint protection that engages in behavioral scanning, rather than solely relying on signature-based detections. Sentinel One’s next-gen protection can detect when files and processes are behaving in an unusual manner and swiftly take the appropriate mitigation actions.
- Implement general best practices for security including strong, complex passwords/passphrases, multi-factor authentication, and defense-in-depth.
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.