HQ/EMEAFind out how we can help your business
Researchers uncovered a year-long highly targeted cyberattack that used the RDStealer malware against an East Asian information technology (IT) firm. Based on reports, the malware developers coded the malware in the Go language.
The researchers explained that the cybercriminal operation was active for more than a year with the primary objective of compromising credentials and data exfiltration. A recent investigation gathered evidence that the malicious campaign was initiated by attackers in the early months of last year. However, the targeted IT company located in East Asia remained unnamed.
The RDStealer malware operators first relied on well-known RATs to start their cybercriminal operations.
The RDStealer malware operation started with readily available remote access trojans (RATs), such as Cobalt Strike and AsyncRAT. Eventually, the attackers shifted to the earlier-mentioned malware in the early weeks of last year.
The threat actors’ main evasion tactic includes the MS Windows folders likely to be excluded from scanning by several security software solutions. Hence, the attackers used folders like System32 and Program files to keep the backdoor payloads.
One example of such sub-folders is a directory for a legitimate Dell app called Dell Command | Update. The researchers stated that all the devices infected by the incident came from the production of Dell. This detail suggests that the threat actors intentionally picked the folder to hide their malicious activities.
Additionally, the primary reason for these actors for using the Dell products is that they registered C2 domains like “dell-a[.]ntp-update[.]com” to disguise their activity in the targeted environment.
The infiltration method utilises a server-side backdoor called RDStealer. The malware specialises in continuously collecting clipboard content and keystroke data from the host. However, the main attribute of the malware is that it could monitor incoming RDP connections and compromise a remote device if there is an enabled client drive mapping.
Therefore, when a new Remote Desktop Protocol client connection emerges, the RDStealer issues a command to exfiltrate data. Some of the information that the RDStealer could exfiltrate are browsing history, credentials, and private keys from applications, such as Google Chrome, KeePass, and mRemoteNG.
Cybercriminals have always been innovative with their attack capabilities. Organisations should make efforts to counter these kind of attacks with layered defences.
