New RDStealer Malware Steals From Drives Shared Over Remote Desktop

Cyber Security Threat Summary:
Bitdefender Labs has discovered a cyberespionage and hacking campaign called 'RedClouds' that utilizes custom malware known as 'RDStealer' to automatically steal data from drives shared through Remote Desktop connections. The campaign has been active since at least 2020, primarily targeting systems in East Asia. While the specific threat actors behind RedClouds have not been identified, Bitdefender suggests that their interests align with China and that they possess the sophistication of a state-sponsored Advanced Persistent Threat (APT) group.

The Remote Desktop Protocol (RDP), a Microsoft protocol enabling remote connection to Windows desktops, is leveraged by the threat actors. They infect remote desktop servers with RDStealer, which takes advantage of RDP's device redirection feature. This allows the malware to monitor RDP connections and automatically steal data from connected local drives. RDStealer consists of five modules, including a keylogger, a persistence establisher, a data theft and exfiltration module, a clipboard content capturing tool, and a module for encryption/decryption functions.

RDStealer scans for specific file locations and extensions on the connected drives, indicating that the attackers are primarily interested in obtaining credentials for lateral movement within networks. The malware is stored in folders that are less likely to be scanned by security solutions, serving as an evasion tactic. Stolen data is stored locally in an encrypted format until it is transmitted to the attackers' servers. RDStealer's execution also involves activating two DLL files, including a custom Go-based backdoor called Logutil, which allows the threat actors to remotely execute commands and manipulate files on compromised devices. Logutil exploits DLL sideloading flaws and utilizes Windows Management Instrumentation (WMI) for activation.

Security Officer Comments:
The RedClouds campaign targets Remote Desktop servers with custom malware, demonstrating adaptability and persistence. Exploiting RDP's device redirection, RDStealer automatically steals data from shared drives. The focus on credentials suggests privilege escalation. The Logutil backdoor showcases advanced capabilities. Attribution to Chinese actors is challenging. Robust security measures for RDP servers, access controls, and monitoring are crucial to mitigate threats. Vigilance and comprehensive security solutions are essential.

Suggested Correction(s):
Securing Remote Desktop Protocols or any (RDP) for that matter, is essential to prevent unauthorized access, protect against brute-force attacks, mitigate credential theft, defend against lateral movement, and safeguard against data breaches. Implementing strong authentication, encryption, network segmentation, access controls, and monitoring is crucial to ensure the security and integrity of RDP connections.

Link(s):
https://www.bleepingcomputer.com/news/security/new-rdstealer-malware-steals-from-drives-shared-over-remote-desktop/