Bitdefender Labs identified a cyberespionage operation called RedClouds that employs a customized malware known as RDStealer to systematically extract data from shared drives accessed via Remote Desktop connections. The campaign has been targeting systems primarily in East Asia since 2022, although malicious activity linked to these hackers has been detected as early as 2020.
Diving into details
The operation initially relied on commonly available RATs such as AsyncRAT and Cobalt Strike. However, in late 2021 or early 2022, the threat actors switched to custom-made malware to avoid detection.
All the infected systems were manufactured by Dell, which suggests an intentional effort to camouflage malicious activities in those systems.
By registering domain names resembling legitimate Dell infrastructure, such as "dell-a[.]ntp-update[.]com," the attackers aimed to blend in seamlessly.
RedClouds utilized a server-side backdoor called RDStealer, specializing in continuously gathering clipboard content and keystroke data from compromised hosts.
What makes RDStealer special?
The distinguishing feature of RDStealer is its ability to monitor incoming Remote Desktop Protocol (RDP) connections and exploit a remote machine when client drive mapping is enabled.
Upon detecting a new RDP client connection, RDStealer executes commands to extract valuable data, including browsing history, credentials, and private keys from applications such as mRemoteNG, KeePass, and Google Chrome.
The RDP clients connecting to the compromised system are, furthermore, infected with Logutil, a custom Golang-based malware. Logutil utilizes DLL sideloading techniques to maintain persistence within the victim network and enable command execution by the threat actors.
This emphasizes the attackers’ active pursuit of credentials and saved connections to other systems, underscoring their intent to gain unauthorized access to sensitive information, revealed a second analysis by Bitdefender.
The bottom line
As cybercriminals persistently seek new ways to improve the effectiveness and stealth of their attacks, this attack highlights the escalating sophistication of modern cyberattacks. It, in addition to the above, emphasizes the ability of threat actors to leverage advanced techniques to target older, widely used technologies. To combat such modern attacks, the most effective defense strategy is the implementation of multiple layers of comprehensive security measures that are specifically designed to safeguard against diverse threats.