Unveiling a Year-Long Cyber Espionage: Intriguing Revelation of Custom Malware RDStealer in Targeted IT Firm
An extensive and meticulously planned cyber attack targeting an East Asian IT firm has come up, shedding light on the complex tactics employed by the threat actors. This long-term operation, lasting over a year, was orchestrated by deploying a sophisticated malware variant, RDStealer, developed using the Golang programming language. Detailed findings presented in a technical report by Bitdefender researcher Victor Vrabie reveal the primary objective of the attack was to compromise valuable credentials and execute data exfiltration.
Extensive evidence gathered by the Romanian cybersecurity firm points to the campaign's initiation in early 2022, with the specific target being an undisclosed IT company in East Asia. This revelation is a stark reminder of the evolving sophistication and persistence of cyber threats in today's interconnected world.
Table of Contents
Unveiling the Progression
During the initial stages of the operation, common remote access trojans such as AsyncRAT and Cobalt Strike played an active role. However, custom-designed malware stepped in to evade detection as the attack progressed in late 2021 or early 2022. A notable strategy involved utilizing Microsoft Windows folders exempted from security scans, such as System32 and Program Files, to store the backdoor payloads. This approach aimed to exploit security software's limitations and enhance the attack's effectiveness.
A specific sub-folder that played a significant role in the attack is "C:\Program Files\Dell\CommandUpdate," which serves as the location for Dell Command | Update, a legitimate Dell application. Interestingly, all the compromised machines throughout the incident were Dell-manufactured, indicating a deliberate choice by the threat actors to utilize this folder as a camouflage for their malicious activities. This observation is reinforced by the fact that the attackers registered command-and-control (C2) domains like "dell-a[.]ntp-update[.]com," strategically designed to blend seamlessly into the target environment.
The intrusion campaign utilizes a server-side backdoor known as RDStealer, which specializes in continuously gathering data from the clipboard and keystrokes on the infected host. This behavior allows the threat actors to collect sensitive information surreptitiously.
The Distinctive Feature
What sets this attack apart is its ability to monitor incoming Remote Desktop Protocol (RDP) connections and exploit a remote machine if client drive mapping is enabled. Once a new RDP client connection is detected, RDStealer issues a command to extract sensitive information, including browsing history, credentials, and private keys, from applications like mRemoteNG, KeePass, and Google Chrome. That emphasizes that threat actors actively target credentials and save connections to other systems, as Marin Zugec, a researcher at Bitdefender, highlighted in a separate analysis. Additionally, the RDP clients connecting to the compromised machines catch Logutil, another custom Golang-based malware.
Logutil employs DLL side-loading techniques to establish persistence within the victim network and facilitate command execution. Limited information about the threat actor is available, except for their activity dating back to 2020. Zugec remarks on the continuous innovation and evolving sophistication of cybercriminals, who exploit new and established technologies to carry out their malicious activities. This attack serves as a testament to the increasing complexity of modern cyber threats and the ability of threat actors to exploit widely adopted technologies.
Unveiling a Year-Long Cyber Espionage: Intriguing Revelation of Custom Malware RDStealer in Targeted IT Firm Screenshots
