RDStealer used to steal data from remote desktop servers
A cyberespionage campaign called RedClouds is using malware called RDStealer to steal data from drives shared through Remote Desktop connections. The campaign has been targeting systems in East Asia since 2022, and is believed to be state-sponsored by China.
RDStealer is a modular malware that consists of a keylogger, a persistence establisher, a data theft and exfiltration staging module, a clipboard content capturing tool, and one controlling encryption/decryption functions, logging, and file manipulation utilities.
If the malware detects that a remote machine has connected to the server and that Client Drive Mapping (CDM) is enabled, it scans what’s on the machine and searches for files. It can also be spread by infected web advertising, malicious email attachments, and social engineering tactics, in addition to the CDM attack vector. Because the gang behind RDStealer appears to be very adept, new attack vectors—or superior versions of RDStealer—are likely to emerge in the future.
When activated, RDStealer checks for the availability of drives C-H on the \tsclient network shares. If any are found, it notifies the C2 server and starts exfiltrating data from the connected RDP client. The malware specifically targets credentials that can be used for lateral movement, such as KeePass password database, SSH private keys, Bitvise SSH client, MobaXterm, and mRemoteNG connections.
The malware uses passive and active DLL sideloading flaws to run on a breached system without getting detected, and uses the Windows Management Instrumentation (WMI) as an activation trigger.
RDStealer is then stored in folders %WinDir%\System32, %WinDir%\System32\wbem, %WinDir%\security\database, %PROGRAM_FILES%\f-secure\psb\diagnostics, %PROGRAM_FILES_x86%\dell\commandupdate, ans %PROGRAM_FILES%\dell\md storage software\md configuration utility.
The final stage of RDStealer’s execution is to activate two DLL files: the Logutil backdoor (“bithostw.dll”) and its loader (“ncobjapi.dll”).
The Logutil backdoor is a custom Go-based backdoor that allows the threat actors to remotely execute commands and manipulate files on an infected device. The Logutil backdoor communicates directly with the C2 and obtains the commands to execute.
The sources for this piece include an article in BleepingComputer.