RDStealer: Unmasking a New Cyber Espionage Threat Exploiting Remote Desktop Protocols

Mobile employees provide attackers with new attack surfaces. They increasingly initiate attacks to establish command-and-control communications.

This is demonstrated by a recent cyber espionage campaign. Bitdefender Labs is observing a new attack, RDStealer, for the first time, which abuses remote connections via the Remote Desktop Protocol (RDP). The hackers’ goal is to compromise access credentials and exfiltrate data or certificates. The perpetrators of this cyber espionage attack likely began their activities in East Asia as early as 2022. They employ an attack concept that security experts can now substantiate with a real-world example for the first time. The malware cannot be attributed to a single perpetrator, but the attack targets and the complexity of the operation point towards a Chinese Advanced Persistent Threat (APT) group.

Attackers monitor RDP connections RDStealer possesses novel capabilities to compromise the downstream connectivity of Remote Desktop Protocol (RDP) clients. Attackers can monitor RDP connections and, if the IT department has enabled Client Drive Mapping (CDM) of the RDP protocol, remotely utilize connected systems. CDM is one of the virtual channels implemented in the RDP protocol for data exchange between the RDP client and RDP server.

Subsequently, the hackers employ various tools to gather information from various remote administration applications, such as MobaXterm, mRemoteNG, KeePass, Chrome passwords, and Chrome history. Attackers also attempt to access MySQL data in the internal memory of servers or the Local Security Authority Subsystem Service (LSASS). Equally important is the collection of information about servers, access credentials, or stored connections to other systems. These details aid in establishing a command-and-control infrastructure.

Concealment through complex DLL sideload techniques RDStealer, written in Go and thus effective across platforms, utilizes the legitimate Windows Management Instrumentation (WMI) service on the target server for file exchange between the remote server and administrator workstation for the hackers’ purposes. A compromised RDP host, serving as the hub for command-and-control communication, infects an associated client with the Logutil backdoor, disguised as the legitimate ncobjapi.dll library. The attackers store the tools for abusing a remote connection for command-and-control communication and data exfiltration in locations where defenders are least likely to suspect malware. This is based on the calculation that IT security personnel are less likely to subject these locations to malware scans. These locations include:

%PROGRAM_FILES%\f-secure\psb\diagnostics %PROGRAM_FILES_x86%\dell\commandupdate
%PROGRAM_FILES%\dell\md storage software\md configuration utility

The malware also remains hidden in the system for an extended period to continuously search for and exfiltrate information.

Scroll to Top