New ‘RDStealer’ Malware Targets RDP Connections
State-Sponsored Espionage Campaign Leverages Custom Malware
A state-sponsored espionage campaign has been discovered using new custom malware called RDStealer to monitor incoming remote desktop protocol (RDP) connections and infect connecting clients with a backdoor. Security firm Bitdefender issued a warning about the campaign, which has been operational since the beginning of 2022 and is believed to be aligned with the interests of China-based threat actors. The campaign stands out with two custom tools, the Logutil backdoor and the RDStealer malware, written in the Go programming language.
According to Bitdefender, the group behind these attacks has been active since at least 2020, initially using off-the-shelf malware such as AsyncRat and Cobalt Strike. In late 2021, they shifted to custom malware like RDStealer, which has the ability to capture clipboard contents, log keystrokes, and harvest data from infected machines.
The Unique Capability of RDStealer
What makes RDStealer unique is its capability to monitor incoming RDP connections and infect connecting clients that have client drive mapping (CDM) enabled. CDM is a virtual channel that allows for data transfers between RDP servers and clients, displaying the local drives of the client machine during the remote desktop session. CDM is typically always enabled on clients, with the configuration managed on the server-side.
On an infected machine, RDStealer continuously monitors for RDP connections with CDM enabled. If it detects one, it notifies the command-and-control server, exfiltrates data from the connecting client, and deploys the Logutil backdoor on it. The Logutil backdoor uses multiple DLL sideloading techniques to evade detection, including abusing the Windows Management Instrumentation service (Winmgmt).
The Implications of the Espionage Campaign
The discovery of this espionage campaign raises concerns about the ongoing threat posed by state-sponsored actors and the need for robust cybersecurity measures. The fact that the threat actor behind these attacks has been active for several years, constantly evolving their tactics and tools, highlights the sophistication and persistence of such campaigns.
Furthermore, the use of custom malware like RDStealer demonstrates the increasing level of sophistication among threat actors and their ability to exploit vulnerabilities in widely used protocols and technologies. In this case, the targeting of RDP connections highlights the potential risks associated with remote work, as well as the need for organizations to implement strong security measures to protect their remote access infrastructure.
Protecting Against Malware Threats
As cyber threats continue to evolve, it is crucial for individuals and organizations to prioritize cybersecurity measures to protect against malware attacks.
1. Keep Software up to Date
Regularly update all software and systems to ensure they have the latest security patches. Vulnerabilities in software are often exploited by malware, and staying up to date with patches helps to mitigate these risks.
2. Use Strong, Unique Passwords
Use unique and complex passwords for all accounts and regularly update them. Avoid using easily guessable passwords or reusing passwords across multiple accounts.
3. Enable Two-Factor Authentication
Enable two-factor authentication (2FA) whenever possible to provide an extra layer of security. This helps protect against unauthorized access even if passwords are compromised.
4. Invest in a Reliable Security Solution
Invest in a robust antivirus and anti-malware solution that can detect and block malicious software. Regularly update the security software to ensure it is equipped to handle the latest threats.
5. Educate Employees
Regularly educate employees about best practices for online security, including avoiding suspicious links and email attachments. Encourage them to report any suspicious activities or potential security threats.
In Conclusion
The discovery of the RDStealer malware highlights the persistent and evolving threat landscape of state-sponsored cyber espionage. It serves as a reminder of the importance of strong cybersecurity measures and the need for continuous vigilance to protect against such threats. By prioritizing regular software updates, strong passwords, two-factor authentication, reliable security solutions, and employee education, individuals and organizations can mitigate their risk of falling victim to such malware attacks.
<< photo by Jorge Jesus >>
The image is for illustrative purposes only and does not depict the actual situation.
You might want to read !
- Exploring the Security Concerns of Wago Controllers: Uncovering Vulnerabilities
- The Rise of Rorschach Ransomware: A Deep Dive into the Latest Cybersecurity Threat
- Zyxel’s Race Against Time: Urgent Security Updates for Critical NAS Device Vulnerability
- Examining the Implications of a Year-Long Cyber Attack: Unveiling the Utilization of Custom Malware RDStealer
- The Rising Threat: Over 100,000 Stolen ChatGPT Account Credentials Sold on Dark Web Marketplaces
- The Rising Threat: Analyzing the New Mystic Stealer Malware
- Hidden Threats: Investigating the Chinese APT Behind the Critical Barracuda ESG Zero-Day
