A highly targeted cyber attack against an East Asian IT company involved the deployment of custom malware written in a language called Golang RDStealer.
“This operation was active for over a year with the ultimate goal of compromising credentials and data exfiltration,” Bitdefender security researcher Victor Vrabie said in a technical report shared with The Hacker News.
Evidence gathered by the Romanian cybersecurity firm suggests that the campaign started in early 2022. The target is an unspecified IT company located in East Asia.
In its initial phase, the operation relied on available remote access trojans such as AsyncRAT and Cobalt Strike, before turning to bespoke malware in late 2021 or early 2022 in an effort to thwart detection.
The main evasion tactic involves using Microsoft Windows folders that security software tends to exclude from scanning (for example, System32 and Program Files) to store backdoor payload.
One of the sub-folders in question is “C:\Program Files\Dell\CommandUpdate,” which is the directory for the official Dell application named Dell Command | Renew.
Bitdefender says all the machines infected during the incident were manufactured by Dell, suggesting that the threat actor deliberately chose this folder to disguise malicious activity.
This line of reasoning is supported by the fact that threat actors register command-and-control (C2) domains such as “dell-a(.)ntp-update(.)com” with the aim of integrating with the target environment.
Intrusion pools are characterized by the use of a server-side backdoor called RDStealer, which specializes in collecting clipboard content and continuous keystroke data from hosts.
But what makes it stand out is its ability to “monitor incoming RDP (Remote Desktop Protocol) connections and harm the remote machine if client drive mapping activated.”
So when a new RDP client connection is detected, commands are issued by RDStealer to extract sensitive data, such as browsing history, credentials and private keys from applications such as mRemoteNG, KeePass and Google Chrome.
“This highlights the fact that threat actors are actively seeking credentials and storing connections to other systems,” Marin Zugec of Bitdefender said in the second analysis.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards tight security. Join our insightful webinar!
What’s more, connected RDP clients are infected with another specialized Golang-based malware known as Logutil to maintain a persistent foothold in the victim’s network using ETC side loading technique and facilitate command execution.
Not much is known about the threat actor other than the fact that he has been active since at least 2020.
“Cybercriminals are constantly innovating and exploring new methods to increase the reliability and secrecy of their malicious activities,” said Zugec.
“This attack serves as a testament to the increasing sophistication of modern cyber attacks, but also underscores the fact that threat actors can leverage their new sophistication to exploit older, widely adopted technologies.”