Bitdefender, one of the best antivirus software offerings around, has uncovered a worrying new malware that can extract sensitive information from an endpoint without the user ever finding out.
Dubbed RDStealer, the malware has been used as part of an ongoing espionage operation against East Asian infrastructure since 2022, which Bitdefender believes is state-sponsored due to its sophistication.
Although it failed to identify the specific culprit, Bitdefender believes that, “the target aligns with the interest of China-based threat actors.”
KDStealer malware
RDStealer is a server-side implant that monitors Remote Desktop Protocol (RDP) connections with client-drive mapping enabled. The RDP clients are infected with another custom malware called Logutil, a backdoor that helps to extract sensitive data, such as passwords and private keys. RDStealer can also keylog and capture clipboard content.
Bitdefender also claims that this campaign is more advanced than typical DLL Sideloading attacks: “Multiple DLL libraries are chained together… chosen locations blend well into the system, and the sideloading process itself is initiated through the clever utilization of the WMI subsystem.”
Both RDStealer and Logutil are written in Go, a cross-platform programming language which means the malware can work on multiple operating systems. Bitfender says it found references to both Linux and ESXi when analyzing domains connected to the attack, “indicating that the Logutil backdoor is a multiplatform tool.”
The company also noted that although the concept behind the attack method has been known for a while, this is the first time malware utilizing it has been seen in the wild. It is concerned about its ability to be used across a wide variety of platforms with minimal or no modification, and the prevalence of such solutions post-pandemic.
To avoid detection, the threat actors injected the malware into folders that are commonly excluded from malware scanning software, such as ‘%WinDir%System32’ and ‘%WinDir%securitydatabase’.
Bitdefender posits that threat actors may have chosen this latter location in anticipation of administrators excluding it entirely from security scans, since Microsoft provides specific guidance on omitting certain files within this folder from such scans.
“This attack serves as a testament to the increasing sophistication of modern cyberattacks, but also underscores the fact that threat actors can leverage their newfound sophistication to exploit older, widely adopted technologies,” Bitdefender concludes.
In order to stay protected, the company suggests using, “defense-in-depth architecture [which] involves employing multiple layers of overlapping security measures that are designed to protect against a variety of threats.”
“The use of multiple layers of security creates overlapping barriers that an attacker must overcome, which can reduce the likelihood of successful attacks, limit the scope of an attack if one occurs, and provide early warning of potential threats.”