In the vast and evolving landscape of cyber threats, it's not uncommon to find state-of-the-art strategies in action. In a perfect illustration of such sophistication, an East Asian IT company fell victim to an advanced and targeted cyber-espionage operation that lasted more than a year. The orchestrators of this attack, suspected to be China-based actors, leveraged a custom malware written in Golang, dubbed RDStealer.
Bitdefender's security researcher Victor Vrabie unveiled the cyber assault in a technical report, revealing the magnitude of this operation – known as RedClouds – that aimed at compromising credentials and data exfiltration.
An Evolutionary Attack Strategy
At the onset, the threat actors relied on well-established remote access and post-exploitation tools such as AsyncRAT and Cobalt Strike. However, to evade detection, they later transitioned to RDStealer, a custom malware, presumably in late 2021 or early 2022.
The intruders demonstrated an understanding of potential security loopholes. A notable tactic involved using Microsoft Windows folders, likely to be excluded from security scans (e.g., System32 and Program Files), to hide their backdoor payloads. A particular target was the "C:\Program Files\Dell\CommandUpdate" subfolder, a directory for the legitimate Dell application, Dell Command | Update.
This strategy suggested a clear intent. The actors, in an apparent effort to camouflage their actions, infected only Dell-manufactured machines.
Malicious Command and Control
Further emphasizing their stealth, the threat actors registered command-and-control (C2) domains with misleading names like "dell-a[.]ntp-update[.]com," merging seamlessly into the target environment.
RDStealer's functionality is diverse but particularly excels in gathering clipboard content and keystroke data. The malware actively monitors incoming Remote Desktop Protocol (RDP) connections, allowing the compromise of a remote machine if client drive mapping is enabled. Once a new RDP client connection is detected, RDStealer promptly exfiltrates sensitive data like browsing history, credentials, and private keys from apps including mRemoteNG, KeePass, and Google Chrome.
The connecting RDP clients are then infected with another custom malware, Logutil, maintaining a persistent foothold on the victim network, facilitating command execution and further spreading the infection.
State-Sponsored Sophistication
The threat actors behind this scheme have been active since at least 2020, their methods indicating the sophistication expected of state-sponsored threats.
"Cybercriminals continually innovate and explore novel methods to enhance the reliability and stealthiness of their malicious activities," said Marin Zugec of Bitdefender. "This attack serves as a testament to the increasing sophistication of modern cyberattacks, and the fact that threat actors can leverage their newfound sophistication to exploit older, widely adopted technologies."
Key Terms
Malware: Short for malicious software, it refers to any software designed to harm or exploit any computing device or network. Golang: An open-source programming language that's used to build simple, reliable, and efficient software. AsyncRAT and Cobalt Strike: Tools used by cybercriminals for remote access and post-exploitation operations. Backdoor Payloads: Unauthorized access points into a computer or a network, often hidden in malware payloads. Command-and-Control (C2) Domains: Servers through which cybercriminals control malware or compromised systems. Remote Desktop Protocol (RDP): A protocol that allows one to connect and control another computer or virtual network. DLL Side-Loading: A technique used by attackers to execute malicious payloads by loading a DLL with the same name as a legitimate DLL file. Data Exfiltration: Unauthorized transfer of data from a computer or network to an external destination or recipient. Client Drive Mapping: A feature that allows access to local drives during a remote desktop session.
Summary
A highly targeted and sophisticated cyber attack was discovered targeting an East Asian IT company using a custom malware known as RDStealer. The attack, dubbed RedClouds, lasted for over a year and aimed to compromise credentials and perform data exfiltration. The perpetrators appear to be a state-sponsored entity due to the level of sophistication and strategy involved.
Comments