Highlights:

  • According to researchers at Bitdefender Labs, this is the first instance of this type of attack that has been documented.
  • The researchers contend that defense-in-depth architecture is the best defense against current cyber threats.

Recently, S.C. Bitdefender SRL researchers issued a warning about new custom malware that is actively targeting clients of the remote desktop protocol in order to steal data.

The server-side implant, dubbed “RDStealer,” was first identified in its use in a state-sponsored East Asian espionage operation called RedClouds. It monitors RDP connections with client drive mapping enabled, infecting connecting RDP clients with a Logutil backdoor and exfiltrating sensitive data.

The RDStealer malware is noteworthy because it uses a advanced dynamic link library sideloading method. According to reports, the stealth approach combines several DLLs that seamlessly integrate into the system and are started by the Windows Management Instrumentation subsystem. Malware and its accomplice, Logutil, are written in the Go programming language, allowing them to operate on multiple platforms.

The researchers at Bitdefender Labs assert that this is the first known instance of this attack technique, highlighting an increase in the sophistication of cybercriminal activities. The discovery highlights the need for robust and multi-layered security measures by demonstrating how threat actors use new techniques to exploit established, widely used technologies.

Although the report details RDStealer’s operational procedures, the security advice to reduce the risk of being compromised applies to the overall state of security.

Researchers say defense-in-depth architecture offers the best defense against current cyber threats. The defense-in-depth security strategy uses some overlapping defenses to fend off various threats.

Mastering prevention capabilities, which include reducing exposed attack surfaces, identifying and patching vulnerabilities, and regularly updating access policies, is essential to the strategy. All potential threat entry points should be subject to automated protection controls, such as next-generation antivirus and integrated reputation controls for intellectual property, web addresses, and domains.

However, detection capabilities become crucial if a threat actor manages to get around those controls. The researchers emphasize the need for endpoint detection and response, extended detection and response, or managed detection and response services that can reduce the amount of time a threat goes undetected.

Additionally, it is stated that preserving response capabilities throughout each of these layers is essential for lowering security risks. Examples of maintenance are applying patches, looking into possible security incidents, or limiting damage after a breach. Implementing such procedures makes it more likely that cybersecurity incidents will not develop into serious breaches.