Researchers uncover novel RDStealer malware targeting remote desktop protocol

RDStealer: Mockup of brigtly coloured alert with code and a warning sign, reading 'malware'
(Image credit: Getty Images)

Security researchers have uncovered a brand-new malware strain targeting Windows’ remote desktop protocol (RDP).

Experts at Bitdefender Labs revealed the newly discovered malware today, dubbed RDStealer. 

RDStealer takes the form of a server-side implant that monitors incoming connections with client drive mapping enabled.

Once connected, an RDP client is infected with the Logutil malware, allowing data (including credentials and private keys) to be extracted.

The attack chain associated with RDStealer involves a typical DLL sideloading technique, but researchers observed that the level of disguise observed in this campaign “surpasses anything witnessed thus far”.

DLL sideloading takes advantage of how Windows locates libraries. An attacker might give a malicious binary the same name as a trusted DLL and drop it into the same folder, or high in the search order, as a trusted application. 

When that application launches, the malicious binary is also launched.

RELATED RESOURCE

Whitepaper cover with image of female working remotely at a laptop on her sofa

(Image credit: IBM)

Unified Endpoint Management and Security in a work-from-anywhere world

New ways to mitigate vulnerabilities and support threat detection

DOWNLOAD FOR FREE

The attack features multiple DLL libraries chained together and the process is initiated through the utilization of the Windows Management Instrumentation (WMI).

The cross-platform nature of RDStealer represents an even more significant threat since both the RDStealer and Logutil malware samples have been written in the Go programming language

During an analysis of domains connected to the attack, researchers noted references to Linux and ESXi - the VMware hypervisor - indicating the multiplatform potential of the Logutil backdoor.

The attack itself appears more concerned with the theft of data and credentials, and used folders that were likely to be excluded by scanners such as %WinDir%\System32\. 

Researchers also found malware in %WinDir%\security\database directory, where Microsoft has advised administrators to exclude specific files from scanning. 

The findings suggest the attackers have anticipated administrators simply excluding the entire folder.

RDStealer: How does the attack work?

RDStealer specializes in data gathering, clipboard capturing, and keylogging

It also monitors incoming RDP connections and can compromise a remote machine if Client Drive Mapping (CDM) is enabled. 

CDM is a commonly used feature and must be enabled at both the client and server ends. It permits users to access and transfer files between their local machine and the remote server via RDP and allows administrators to move files between a remote server and their admin workstation.

On a compromised machine, RDStealer collects clipboard data and keystrokes before checking the availability of tsclient connection and one of the C, D, E, F, G or H drives (automatically created when CDM is enabled and representing disks on the connected RDP client.)

Data is exfiltrated and the Logutil backdoor is deployed to both maintain a foothold in the victim’s network and provide capabilities such as file download/upload and command execution.

The abuse of WMI by this malware to establish persistence on the system is particularly unique. 

The malware can be triggered by either the WMI service or host process and makes use of a library (ncobjapi.dll) that has previously been weaponized by other groups. 

However, in this instance, the library is simply used to launch the Logutil payload as part of the sideloading chain.

How to prevent infection

The research is a reminder that attacks will continue to get ever more sophisticated as tactics evolve, particularly with the move to remote work. 

All virtual channels are capable of transferring data and can be weaponized, so administrators must consider exposed entry points and deploy automated protection controls.

And, as researchers note, “the best protection against modern attacks remains the defense-in-depth architecture”.

Richard Speed
Staff Writer

Richard Speed is an expert in databases, DevOps and IT regulations and governance. He was previously a Staff Writer for ITProCloudPro and ChannelPro, before going freelance. He first joined Future in 2023 having worked as a reporter for The Register. He has also attended numerous domestic and international events, including Microsoft's Build and Ignite conferences and both US and EU KubeCons.

Prior to joining The Register, he spent a number of years working in IT in the pharmaceutical and financial sectors.