RDStealer malware targeting RDP connections

According to a warning from cybersecurity company Bitdefender, an espionage campaign is linked to a state-sponsored group employing new customized malware to monitor incoming connections through the remote desktop protocol (RDP) and infect the connected clients with a remote access point. 

Bitdefender reports that this campaign has been active since the start of 2022 and appears to be associated with threat actors based in China.

Why is the attack different?

What distinguishes this espionage campaign is the use of two custom tools developed in the Go programming language: the Logutil backdoor and the RDStealer malware. Bitdefender highlights that the threat actor responsible for these attacks has been operational since 2020, initially relying on ready-made malware such as AsyncRat and Cobalt Strike. 

However, in late 2021, they shifted to their own custom-built malware, including RDStealer, which can capture clipboard data, log keystrokes, and harvest information from infected machines.

What is RDStealer?

RDStealer can monitor incoming RDP connections and infect connecting clients with client drive mapping (CDM) enabled. 

Cool writeup by Xusheng Li on using Binary Ninja for reverse engineering a Cobalt Strike dropper
(credits @vector35)https://t.co/Lbn71dLrdp#cobaltstrike pic.twitter.com/MqNqZVcXXJ

— 0xor0ne (@0xor0ne) April 11, 2023

“CDM is a feature that allows data transfers between RDP servers and clients, displaying the local drives of the client machine during a remote desktop session. Since CDM is typically enabled on clients, the threat actor exploits this to carry out their malicious activities.”

Source: Bitdefender

Once an infected machine identifies an RDP connection with CDM enabled, 

• RDStealer sends a notification to the command-and-control (C&C) server, 
• initiates data exfiltration from the connecting client, and 
• deploys the Logutil backdoor on it. 

Knowing Logutil

Logutil employs various techniques to avoid detection, including 

• DLL sideloading, such as leveraging the Windows Management Instrumentation service (Winmgmt). 

Source: Bitdefender

• On an infected system, Logutil establishes persistence, communicates with the C&C server (either directly or via a proxy server on the same network), and executes commands received from the C&C. 
• These commands can involve loading DLL libraries, executing specific instructions, downloading or uploading files, and listing directories.

This server-side implant is monitoring incoming Remote Desktop Protocol (RDP) connections with client drive mapping enabled. Connecting RDP clients are infected with Logutil backdoor (another custom malware), and sensitive data is exfiltrated. https://t.co/liHNVaRrYx

— DCWebGuy (@DCWebGuy) June 20, 2023

Concluding thoughts

Custom malware and the ability to exploit RDP connections with CDM enabled demonstrates the progressive nature of this threat actor’s activities. Using multiple layers of security can build barriers that are difficult for intruders to break and thus limits the scope of an attack. Therefore detection capabilities as a product or as a service must be incorporated.