New RDStealer malware steals from drives shared over Remote Desktop

A cyberespionage and hacking campaign tracked as 'RedClouds' uses the custom 'RDStealer' malware to automatically steal data from drives shared through Remote Desktop connections.

The malicious campaign was discovered by Bitdefender Labs, whose researchers have seen the hackers targeting systems in East Asia since 2022.

While they have been unable to attribute the campaign to specific threat actors, they mention that the threat actors' interests align with China and have the sophistication of a state-sponsored APT level.

Moreover, Bitdefender says the particular hackers have left traces of activity since at least 2020, initially using off-the-shelf tools and switching to custom malware in late 2021.

The Remote Desktop Protocol (RDP) is a proprietary Microsoft protocol that allows users to remotely connect to Windows desktops and use them as if they were in front of the computer.

This feature is extremely useful for various tasks, including remote working, technical and IT support, system administration, and server management.

Internet-exposed RDP servers are some of the most targeted online services as they provide a foothold to a corporate network. Once they gain access, threat actors can use this foothold to spread laterally throughout the corporate network in data theft and ransomware attacks.

The Remote Desktop Protocol includes a feature called 'device redirection,' which allows you to connect your local drives, printers, the Windows clipboard, ports, and other devices with the remote host, which are then accessible in your remote desktop sessions.

These shared resources are accessed via a special '\\tsclient' (terminal server client) network share that can then be mapped to drive letters in your RDP connection.

For example, if the local C:\ drive was shared via device redirection, it would be accessible as the '\\tsclient\c' share in the RDP session, which can then be used to access locally stored files from the remote Windows desktop.

The threat actors infect remote desktop servers with a custom RDStealer malware that takes advantage of this device redirection feature. It does this by by monitoring RDP connections and automatically stealing data from local drives once they are connected to the RDP server.

The five modules that comprise RDStealer are a keylogger, a persistence establisher, a data theft and exfiltration staging module, a clipboard content capturing tool, and one controlling encryption/decryption functions, logging, and file manipulation utilities.

Upon activation, RDStealer enters an infinite loop of calling the "diskMounted" function, which checks for the availability of the C, D, E, F, G, or H drives on the \\tsclient network shares. If it finds any, it notifies the C2 server and starts exfiltrating data from the connected RDP client.

It's worth noting that the locations and filename extensions the malware enumerates on C:\ drives include the KeePass password database, SSH private keys, Bitvise SSH client, MobaXterm, mRemoteNG connections, etc., clearly indicating that the attackers are after credentials that they can use for lateral movement.

On all other drives, RDStealer will scan everything, with some exceptions that are unlikely to host valuable data.

Bitdefender lacks insight into how Remote Desktop Servers become infected in the first place but found that the malware was stored in the following folders:

"As part of evasion tactic, threat actors used folders that are less suspected to contain malware and are often excluded from scanning by security solutions," explains BitDefender.

All data stolen from the compromised device are stored locally as encrypted strings in the "C:\users\public\log.log" file until they are transmitted to the attackers' servers.

The final stage of RDStealer's execution is to activate two DLL files, the Logutil backdoor ("bithostw.dll") and its loader ("ncobjapi.dll").

The RedClouds campaign also uses a custom Go-based backdoor named Logutil that allows the threat actors to remote execute commands and manipulate files on an infected device.

The malware uses passive and active DLL sideloading flaws to run on a breached system without getting detected and uses the Windows Management Instrumentation (WMI) as an activation trigger.

"This implant is highly effective to establish persistence on the system," describes Bitdefender.

"It can be triggered by either WMI service (automatically started with multiple recovery actions), or through WMI host process."

"There are often multiple instances of WMI host process (WmiPrvSE.exe) running, and there are multiple ways this process is started (including by DCOM interface for remote WMI calls)."

Logutil communicates directly with the C2 and obtains the commands to execute, as explained in the table below:

The researchers underline that Logutil's C2 contains references to ESXi and Linux, so it's likely that the threat actors already use Go's versatility to create a multi-platform backdoor.

Bitdefender has shared a complete list of the indicators of compromise in their report, so defenders are recommended to take note and apply multiple layers of overlapping security measures.

Chinese APT15 hackers resurface with new Graphican malware

CISA: New Submarine malware found on hacked Barracuda ESG appliances

FIN8 cybercrime gang backdoors US orgs with new Sardonic malware

RomCom hackers target NATO Summit attendees in phishing attacks

New PowerExchange malware backdoors Microsoft Exchange servers