New custom malware attacking Remote Desktop Protocol clients to steal sensitive login credentials.
Recently, the ‘RedClouds’ cyberespionage campaign steals data from shared drives via RD connections using the ‘RDStealer’ malware.
Bitdefender Labs discovered this malicious cyberespionage campaign and it has been identified that the hackers have been actively targeting systems since 2022 in East Asia.
The campaign’s creators are unknown, but they have similar interests to China and possess advanced skills like government-sponsored APT groups.
The hackers in this campaign have been active since 2020 with several active traces. While initially, they started with ready-made tools, but, later in 2021, they shifted to their own custom malware.
Custom Malware Attacking RDP
With the help of Microsoft’s RDP protocol, you can establish remote connections to Windows computers and seamlessly control them, simulating an in-person experience.
Here below we have mentioned the main goals of this Malware Attacking Remote Desktop:-
- Steal credentials
- Exfiltration of data
The threat actors have used several malicious tools in this campaign and here below we have mentioned all the locations that are used by them to hide their tools:-
- c:windowssystem32
- c:windowssystem32wbem
- c:windowssecuritydatabase
- %PROGRAM_FILES%f-securepsbdiagnostics
- %PROGRAM_FILES_x86%dellcommandupdate
- %PROGRAM_FILES%dellmd storage softwaremd configuration utility
To make the malware appear genuine, attackers frequently choose the following two locations, which are typically used for legitimate software:-
- %PROGRAM_FILES%
- %PROGRAM_FILES_x86%
While apart from this, the malware was also discovered in the following folder where Windows keeps its security files:-
- c:windowssecuritydatabase
Threat actors opted for this location likely to avoid detection and mask their presence as legit.
To maintain persistence, the Logutil backdoor took advantage of the Winmgmt service in an indirect manner.
The exploitation was made possible by utilizing DLL Hijacking, aided by the presence of the malicious loader at the following location:-
- %SYSTEM32%wbemncobjapi.dll
The “Microsoft WMI Provider Subsystem” DCOM is used in this campaign and it’s been revealed due to the Winmgmt behavior. It’s mainly found in the following location:-
- c:windowssystem32wbemwmiprvsd.dll
The wmiprvsd.dll file needs the ncobjapi.dll file to work, and this file is mainly located in:-
However, due to the way the DLL search order works, the %SYSTEM32%wbem folder is checked first, allowing it to load the malicious loader.
The current threat actors have a unique method of DLL sideloading. Instead of using ncobjapi.dll as the final payload, they use other DLL files like bithostw.dll located in “c:windowssystem32” or “c:windowssystem32wbem”.
Packages Used in Attack
According to the report shared with Cyber Security News, the following are the packages used:-
- cli: Implements the capture of the clipboard content by using windows API such as OpenClipboard and GetClipboardData.
- key: Implements keystroke capture alongside window name.
- main: Acts as the orchestrator and uses the package modules to perform persistence setup and start the routine for data collection if certain conditions are met.
- modules: Implements different functions used for collecting and staging the data for further exfiltration.
- utils: Implements encryption and decryption functions, file attribute manipulation, and log function
RDP Attack Execution
The Logutil is a Go-based backdoor that allows someone to control the victim’s network.
It can download/upload files and execute commands to maintain a foothold in the victim’s network.
The main.Log function in Logutil starts by decrypting the stored config string, which is encoded as base64, and here the decoded result is decrypted using an XOR-byte operation.
Threat actors infect remote desktop servers with a custom RDStealer malware, which takes advantage of a feature in the Remote Desktop Protocol called “device redirection.”
To accomplish this, it keeps track of RDP connections and as soon as they are linked to the RDP server it automatically extracts data from local drives.
Here below we have mentioned all the commands that are supported by Logutil:-
Moreover, Logutil’s command and control (C2) framework, as discovered by the researchers, includes mentions of ESXi and Linux.
This suggests that the malicious actors are probably leveraging the flexibility of the Go programming language to develop a backdoor that can operate on multiple platforms.
Looking For an All-in-One Multi-OS Patch Management Platform – Try Patch Manager Plus.